Automated identity assessment method and system

ABSTRACT

A method, system and software for assessing an entity (15) at a first user terminal (13) connected to a data network (10). A control system (11) is used to receive an access request (101) from the entity (15) or an assessing user (16) at a second user terminal (14). The control system (11) invokes or facilitates transmission of a time-delimited sequence of unpredictable prompts (18) to the entity (15) for a performance of visible prompted actions (20). A video recording (21) of the prompted action performance is stored in a data store (61) and the control system performs an automated assessment of the video recording (21) by a gesture recognition system (67d) and generates an assessment signal respectively including a positive or negative indication of whether or not said entity (15) validly performed said prompted actions.

CROSS-REFERENCE TO OTHER APPLICATIONS

This is a continuation of U.S. patent application Ser. No. 15/426,359,filed on Feb. 7, 2017, which is a continuation of U.S. patentapplication Ser. No. 14/749,631, filed on Jun. 24, 2015, now U.S. Pat.No. 9,602,495, which is a continuation of U.S. patent application Ser.No. 13/813,424, filed on Jan. 30, 2013 now U.S. Pat. No. 9,122,851,which is a National phase of international application No.PCT/IB2011/053429, filed on Aug. 2, 2011, which claims priority from NewZealand patent application No. 584335, filed Aug. 2, 2010, New Zealandpatent application No. 590227, filed Dec. 24, 2010, and 592029, filedMar. 30, 2011, all of which are incorporated herein by reference intheir entirety.

TECHNICAL FIELD

The present invention relates to user identity assessment methods andsystems.

BACKGROUND ART

Distributed communication technology has rapidly advanced as itsbenefits in business, government and other human endeavours become evermore apparent. Teleconferencing and videoconferencing is used frequentlyin business, government, military, education and other professional andnon-professional organizations as a means for providing communicationbetween separated individuals. The use of videoconferencing has alsobecome a commonplace facet in the personal life of many users,communicating via video-link over the internet, mobile phone or othernetworks.

In particular, the use of internet and mobile social networks as a meansof communication between individuals has rapidly increased inpopularity. In an increasing proportion of users, social networks havebecome the primary means of communication with people outside the users'immediate physical vicinity. Social networks offer a method ofcommunication that benefits many users. However, social networks havealso been abused by criminals and other malicious individuals to harmother users through deceitful practices such as the use of false ormisleading identities. Malicious users may portray themselves to beanother person to solicit money from another user or to deceivevulnerable individuals into a personal meeting for nefarious purposes.

As used herein, the term “social network” can be interpreted include thenow ubiquitous social networks such as Facebook™ and LinkedIn™, as wellas any networks created indirectly through collaboration in onlinegaming, online forums, relationship facilitation services (e.g. ‘datingsites’), virtual ‘worlds’ and similar formal and informal networks.

Such social networking sites allow people to interact with each otheronline using:

-   -   their own true identity,    -   an alias that may or may not be tied to their real identity, or    -   a false identity.

The use of aliases or false identities can often be harmless and evenovert, e.g. as in gaming applications. However, aliases or falseidentities can also cause problems as they provide the ability fordishonest people to assume an identity in order to conceal, deceive, ormislead others in some way. This deception can be used to gain trust ofvulnerable individuals (for example young people or children) whom wouldnot usually interact with people outside their age group, especially onissues of personal relationships or finances. Similarly, oninterpersonal dating sites it is possible for members to have profilepictures that are not accurate representations or may even be of anotherperson entirely. Thus, other users are deceived as to the true identityof the other person.

Social networking accounts may also be hijacked by criminals and used todiscredit the reputation of the legitimate owner or analyzed to extractsensitive information from the legitimate owner's account or theircontacts.

While passwords may provide some level of security, many users areincautious with password security and often use simplistic, easilyguessed passwords.

Typical network assessment methods rely on a simple text-based user-IDand password combination to verify an entity as an authorised user.However, such a text-based system of authentication provides no meansfor an assessing user to verify that an entity has not compromised theauthorised user's account.

Using text as a means of communication in Social networks also does notprovide visual verification of the registered user, thus providing ameans for presenting a fraudulent persona to other users, e.g. apaedophile may create a network account with false details and picturesand thereby present themselves as having a different appearance or beingthe same age as potential victims. Although more difficult to achievethan in text-based communication, users can also be deceived by voiceimpersonations in audio communication.

It will be apparent that people may communicate using conventional videocommunication which reduces the possibility of deception, i.e. theassessing user can compare the video images of the entity to theauthorised user's profile picture or their own personal knowledge.However, many people prefer not to use live video communication for avariety of reasons, including maintaining a level of privacy duringtheir online interactions, or not wanting others to see their facialexpressions and body language during communication. Hence text-basedcommunication has proved by far more popular than video communication ondata networks.

While other complex authentication methods may be used, e.g. biometricscanning, retina recognition, these systems generally requirespecialised hardware and/or software which may not be available orpractical to many applications. Thus, numerous authentication systemshave been devised to foil or at least hinder unauthorised hijacking ofuser accounts. Examples of common advanced authentication systemsinclude:

-   -   character recognition systems to stop automated hacking by        computer software;    -   multiple sequences of user-specific questions, e.g. “what city        were you born in?”    -   physical code sheets or the like, typically sent to the user's        verified address from which a code is requested by the network        to authenticate the user;    -   physical code generator devices time-synchronised with the        network;

However, none of these systems are fail-safe as they all rely on theuser taking precautions to avoid using common, easy to remember answersor preventing theft of the physical code devices.

Such systems also do not help in social networks or relationshipfacilitation services (e.g. online ‘dating’ networks) where users cansimply set up a user account with a false identity and credentials.Although traditional methods of authenticating users, e.g. throughbackground vetting, photo-ID comparisons or the like have been widelyemployed in the past, such methods are expensive and impractical formost social networks. Users of social networks may be distributed innumerous different countries, with differing privacy laws which maypreclude vetting assessments.

Thus, there are generally two major risks associated with communicationover existing communication networks.

Firstly, there is a risk that an unauthorised entity obtains access toanother user's network account or device and then communicates withother users who mistakenly believe the imposter is in fact genuine.

Secondly, there is a risk a fraudulent entity would create a networkaccount or profile with false details, thereby providing a means todeceive other.

It would thus be advantageous to provide a method and system forimproved authentication/assessment for users in accessing secure data,data networks and remote communication with other users.

All references, including any patents or patent applications cited inthis specification are hereby incorporated by reference. No admission ismade that any reference constitutes prior art. The discussion of thereferences states what their authors assert, and the applicants reservethe right to challenge the accuracy and pertinence of the citeddocuments. It will be clearly understood that, although a number ofprior art publications are referred to herein; this reference does notconstitute an admission that any of these documents form part of thecommon general knowledge in the art, in New Zealand or in any othercountry.

It is acknowledged that the term ‘comprise’ may, under varyingjurisdictions, be attributed with either an exclusive or an inclusivemeaning. For the purpose of this specification, and unless otherwisenoted, the term ‘comprise’ shall have an inclusive meaning—i.e. that itwill be taken to mean an inclusion of not only the listed components itdirectly references, but also other non-specified components orelements. This rationale will also be used when the term ‘comprised’ or‘comprising’ is used in relation to one or more steps in a method orprocess.

It is an object of the present invention to address the foregoingproblems or at least to provide the public with a useful choice.

Further aspects and advantages of the present invention will becomeapparent from the ensuing description which is given by way of exampleonly.

DISCLOSURE OF INVENTION

According to a first aspect of the present invention there is provided amethod of assessing an entity at a first user terminal connected to adata network, said method utilising a control system operable to performthe steps of:

-   -   a) receiving an access request from at least one of:        -   said entity;        -   an assessing user at a second user terminal connected to the            data network;    -   b) invoking or facilitating transmission of at least one        unpredictable prompt to said entity for a performance of a        visible prompted action;    -   c) invoking storage of at least one video recording of said        prompted action performance from said entity in a data store;    -   d) performing:        -   an automated assessment of said video recording; and/or        -   an invocation or facilitation of a transmission of said            video recording from said data store and details of said            prompt to a second user terminal for viewing and assessment            by an assessing user.

Preferably, said control system receives an assessment signal from saidassessing user and/or from said automated assessment.

Preferably, steps b) and c) are performed synchronously.

According to a second aspect of the present invention, there is provideda method of assessment of an entity at a first user terminal connectedto a data network, said assessment performed by an assessing user at asecond user terminal connected to the data network, the control systemoperable to perform the steps of:

-   -   a) receiving an access request from said entity or said        assessing user,    -   b) invoking or facilitating transmission of at least one        unpredictable prompt to said entity to perform a visible        prompted action;    -   c) invoking storage of at least one video recording of said        prompted action performance from said entity in a data store;    -   d) invoking or facilitating transmission of said video recording        from said data store and details of said prompt to said second        user terminal for viewing and assessment by said assessing user,    -   e) receiving from said assessing user an assessment signal.

According to a third aspect of the present invention, there is provideda control system for facilitating entity assessment of an entity at afirst user terminal connected to a data network, said control systemincluding a computer system with a computer processor coupled to asystem memory and programmed with computer readable instructionsexecutable to perform the following procedures:

-   -   a) receiving and processing data relating to an access request        from at least one of:        -   said entity;        -   an assessing user at a second user terminal connected to the            data network;    -   b) invoking or facilitating transmission of at least one        unpredictable prompt for said entity to perform a visible        prompted action;    -   c) invoking storage of at least one video recording of said        prompted action performance from said entity in a data store;    -   d) performing:        -   an automated assessment of said video recording; and/or        -   invocation or facilitation of transmission of said video            recording from said data store and details of said prompt to            an second user terminal for viewing and assessment by an            assessing user.

According to a fourth aspect of the present invention there is provideda control system for enabling entity assessment of an entity at a firstuser terminal connected to a data network, said assessment performed byan assessing user at a second user terminal connected to the datanetwork, said control system including a computer system with a computerprocessor coupled to a system memory and programmed with computerreadable instructions executable to perform the following procedures:

-   -   a) receiving and processing data relating to an access request        from said entity or said assessing user    -   b) invoking or facilitating transmission of at least one        unpredictable prompt to said entity to perform a visible        prompted action;    -   c) invoking storage of at least one video recording of said        prompted action performance from said entity in a data store;    -   d) invoking or facilitating transmission of said video recording        from said data store and details of said prompt to said second        user terminal for viewing and assessment by said assessing user,    -   e) receiving from said assessing user an assessment signal.

According to a fifth aspect of the present invention, there is providedcomputer software for enabling entity assessment of an entity at a firstuser terminal connected to a data network, said computer softwareembodied in computer-readable instructions executable to perform thefollowing procedures:

-   -   a) processing data relating to an access request from at least        one of:        -   said entity;        -   an assessing user at a second user terminal connected to the            data network;    -   b) invoking or facilitating transmission of at least one        unpredictable prompt to said entity to perform a visible        prompted action;    -   c) invoking storage of at least one video recording of said        prompted action performance from said entity in a data store;    -   d) performing:        -   an automated assessment of said video recording; and/or        -   invoking or facilitating transmission of said video            recording from said data store and details of said prompt to            a second user terminal for viewing and assessment by an            assessing user.

According to a sixth aspect of the present invention there is providedcomputer software for enabling assessment of an entity at a first userterminal connected to a data network, said assessment performed by anassessing user at a second user terminal connected to the data network,said computer software embodied in computer-readable instructionsexecutable to perform the following procedures:

-   -   a) receiving and processing data relating to an access request        from said entity or said assessing user    -   b) invoking or facilitating transmission of at least one        unpredictable prompt for said entity to perform a visible        prompted action;    -   c) invoking storage of at least one video recording of said        prompted action performance from said entity in a data store;    -   d) invoking or facilitating transmission of said video recording        from said data store and details of said prompt to said second        user terminal for viewing and assessment by said assessing user,    -   e) receiving and processing an assessment signal received from        said assessing user.

As used herein, the term “entity” should be understood to refer to anyperson, organisation or virtual entity.

A “user”, as referred to herein is any entity accessing the datanetwork, including “registered users” and “unregistered users”.

A “registered user”, as referred to herein is a user of the data networkthat has a set of identifying characteristics (and preferably other userdetails) stored in one or more related user records collectively forminga “user account” in a database in a data store accessible by the controlsystem. Axiomatically, an “unregistered user” is a user that has no suchcredentials or account but otherwise has some form of access to thefirst user terminal and/or data network.

The term “Identifying characteristics” as used herein refers to anycharacteristic of an entity that can be used to identify the entity,either singly or in combination with other characteristics. Exemplaryidentifying characteristics include name, gender, age, occupation,country-of-residence, nationality, profile image/photo, height, haircolour, eye colour, educational, sporting and health history and thelike.

A “persona” as used herein refers to the aspect of an entity's characterthat is portrayed to or perceived by the assessing user. The identifyingcharacteristics of a user account may collectively act as a “persona”portraying a user or other entity. Additionally, a persona may beprovided by external sources, e.g. famous persons may have an associatedpersona but may not be a user of the data network.

The “prompt” provided to the entity is unpredictable so that abelievable pre-prepared response cannot be fabricated by an imposter.

It will be appreciated that reference herein to “unpredictable” promptsshould also be understood to include random and pseudo-random prompts orany predetermined non-random selection of a prompt that prevents theentity from knowing which prompt will be provided.

As used herein, the term “data network” should be understood to refer toany electronic network having a control system capable of receiving andtransmitting data from user terminals. A data network may thus beconsidered to include virtual private networks (VPN), the internet,telephone/cellular networks, local area (LAN), wide area (WAN),wireless, WIFI, satellite, radio, UHF, VHF, infrared, mesh networks,Bluetooth, ZigBee or any other network having one or more controlsystems and connected terminals.

The data network preferably includes a “virtual network” formed fromconnections between multiple users connected to the data network.Examples of virtual networks include: social networks, gaming,banking/financial, relation facilitation services (e.g. datingwebsites), government, commercial, organisational, military, academic,entertainment or the like. Typical “virtual networks” are normallyembodied in related data records in a database. Each data recordpreferably corresponds to a registered user or a user terminal andgroups of data records relating to the same registered user or userterminal form a “user account”.

Preferably, said virtual network may include a relationship facilitationservice for allowing users to communicate with each other for thepurposes of forming a relationship, e.g. a ‘dating’ or ‘matching’service.

As used herein, the term “user terminal” refers to any device orcollection of devices, at least one of which is capable of connecting tothe control system to communicate on the data network and by way ofexample, includes a computer, mobile computing device, cellular phone,e-reader, tablet, PDA, games console, or combinations thereof. The userterminal may also be embodied in separate devices, e.g. a displaycapable of receiving data as well as a separate, distinct computerdevice for transmitting data.

It should be appreciated that the entity and assessing user may belocated at the same user terminal at different time periods or may be atdifferent user terminals, whether in the same location or remote to eachother, thus the ‘first user terminal’ may be the same as the ‘seconduser terminal’ in some circumstances and therefore it should beappreciated that reference herein to a “second user terminal” can beinterpreted to include the “first user terminal” and vice versa.

The control system is preferably a computer server and/or systemconfigured to receive and process the access request from a userterminal. It will be appreciated that the control system may comprisemultiple distributed computing resources. Preferably, the control systemmay include a “cloud-computing” based system. As used herein, the term“cloud-computing” refers to a computing capability that provides anabstraction between the computing resource and its underlying technicalarchitecture (e.g., servers, storage and networks), enabling on-demandnetwork access to a group of configurable computing resources.

It should be appreciated that the control system may have system memoryand a processor for executing software. It should be appreciated thatthese computing resources need not be in the same location, e.g. thecontrol system may be a virtual system using ‘cloud-computing’ resourceswith distributed processors, software and memory resources.

Preferably, where the data network includes an internet social network,said control system may include one or more social network servers and adatabase.

In addition the data network may be connected to a third party or remotecontrol system capable of sending and receiving data from the datanetwork.

As used herein the term “access request” may refer to any request for“access” to data, a virtual network, communication with users, or to thedata network itself and includes, but is not limited to direct orindirect:

-   -   access to the data network;    -   access, e.g. a to a virtual network e.g. a social network,        relationship facilitation service, blog, chat-room, RSS feed,        forum, data-sharing network or similar.    -   access to publish information;    -   access to a data resource;    -   access to a user terminal, e.g. a log-in to a computer operating        system;    -   acceptance of a contract, e.g. a license, terms of use, purchase        offer.    -   access to communication with another user, e.g. sending of an        instant message, e-mail, SMS message, dialling of phone number        or VOIP network (e.g. Skype®) identifier;    -   access to recover lost passwords or login information.

Preferably, the prompt is provided to the entity in conjunction with anaccess request provided in the form of a contract or offer of contract.The contract may be an agreement, deed, item, product, software,license, service, competition or any other application otherwiserequiring a signature, agreement or the like. Thus, the video recordingmay be used as a video ‘signature’ or ‘record’ of acceptance,acknowledgement or rejection of the contract. Acceptance oracknowledgement of the contract may be indicated by performing theprompted visible actions correctly, and/or performing an actionindicating acceptance, e.g. the prompt may include “make a ‘thumbs-up’gesture if you agree to the terms of this license.

Preferably, the control system stores the contract and associated videorecording in records related to the accessed user account oralternatively stores a record in the database linking the contract withthe video recording. Thus, in the event of a dispute, the control systemmay retrieve the contract and associated video recording to allowassessment. The assessing user or automated assessment may thus be ableto assess the video recording to determine that the entity was presentedwith the contract and indicated their acceptance or rejection. Thus, insome applications, the video recording may be used as a signature bywhich the entity can be identified.

In one embodiment of the present invention the first user terminal maybe a user-operable device such as an operating system, vehicle,machinery or the like. Preferably, the access request is to access saiduser-operable device said entity is provided access to operate saiduser-operable device only if said control system classifies said entitypositively. The user-operable device may thus be secured fromunauthorised access or operation. The present invention may be usedsimilarly to a security system to restrict access to an operatingsystem, vehicle, machinery or the like, wherein the entity is assessedbefore being allowed to access or operate that system, vehicle ormachinery.

The access request need not be received directly from the entity orassessing user and may instead be received via another user, entity,server, system, proxy or network.

Reference herein to “invoke”, “invoking”, “invoked” and “invocation”with respect to a procedure related to the control system should beunderstood to refer to any method, act or process for causing therelevant procedure to be carried out and includes:

-   -   directly conducting the relevant procedure;    -   generating and/or transmitting a signal or data that triggers        the relevant procedure;    -   generating and/or transmitting a signal or data to another        system that performs the relevant procedure.

Reference herein to “facilitating transmission” should be interpreted toinclude generating and/or transmitting a signal or data that is used intransmission of data in and/or between a data store, the control systemand/or user terminal.

The “visible prompted action” includes any body action that can bevisually observed (and optionally verified) as occurring and by way ofexample, may include: facial gestures, hand and other body gestures.Body actions involving hands, face and other body parts are visible andnormally ease recognisable and thus are particularly suited to thepresent invention. Accordingly, the visible prompted action preferablyexcludes typing, writing or other data input to the first user terminal.

To aid clarity and avoid prolixity, reference herein has been made to asingle “video recording” being made, however, this should not be seen tobe limiting and it should be understood that reference to a “videorecording” in the singular also includes multiple recordings.

The video recording is referred to herein as being received from thefirst user terminal accessed by the entity. However, it should beappreciated that this recording may also be passed through intermediaryservers, proxies, terminals, networks, routers or similar beforereaching the control system and should not be seen to be limited todirect transmission from the user terminal.

As referred to herein the term “data store” refers to a local, remoteand/or distributed data store accessible by the control system and byway of example includes digital storage media such as a computer harddrive, solid-state memory, computer RAM, ROM, volatile flash memory,non-volatile flash memory or the like. The data store may be located ata user terminal, at the control system or remotely.

It should be appreciated that the term “store” with respect to datashould be understood to include permanent or temporary storage, caching,streaming or the like, e.g. it may not be necessary to store the entirevideo recording in some applications and instead the video recordingcould be streamed directly in packets to the automated assessment orsecond user terminal.

As used herein the term “video recording” should be understood to referto any electronic recording of moving visual elements and is preferablya digital recording.

The “video recording” is preferably capable of being streamed ordownloaded to/from a user terminal.

It will be appreciated that reference to “receiving” and “providing”includes the various modes of transmitting/receiving electronic data,e.g. streaming, uploading, downloading and can be made across any wiredor wireless communication medium.

The “assessment signal” may be any form of electronic signal or datacapable of being read by said control system and by way of example mayinclude a signal or data generated by a java-script control, compiledAdobe Flash® application, HTML, text message, user-interface control orbutton or any other type of user input control or sensor that can acceptand infer user commands. A hand or body gesture may also form a userinput that is interpreted by a gesture recognition system as anassessment signal, e.g. a ‘thumbs up’ gesture may be interpreted as anassessment signal with a positive indication.

Preferably, upon receiving the access request, the control systemdetermines a user account (hereinafter “accessed user account”)corresponding to credentials provided by the first user terminal. Suchcredentials may be manually or automatically entered at the first userterminal by the entity or alternatively may be stored or cached on thefirst user terminal or control system and processed by the controlsystem when the access request is made.

The term “classification”, as used herein, refers to a determinationmade by the control system upon receiving and processing an assessmentsignal. Preferably, the control system generates data representing theclassification made. The classification may take many forms buttypically will be ‘positive’, ‘negative’ or ‘inconclusive’.

It should be appreciated that the assessing user need not necessarily beanother user having the same security or authorisation status as theentity, i.e. the assessing user may be a security official or other‘super-user’ assigned to assess entities. This ‘super-user’ assessmentsystem may be useful, for example, in banking or financial systems wherean entity attempts to access financial accounts relating to the accesseduser account, i.e. a super-user may be an employee assigned by thebank/finance provider to assess the entity in the aforementioned method.

Preferably, the assessing user is a registered user.

Preferably, the control system at least partially controls datatransmission between said user terminals via the data network.

Preferably, the entity may only have data access to the first userterminal and/or data network if they provide user credentialscorresponding to a said user account. Such provision of user credentialsmay be provided manually or automatically by the entity or alternativelymay be stored or cached on the first user terminal or control system andprocessed by the control system when the access request is made.

The assessment signal preferably includes at least one positive,negative or inconclusive assessment signal.

The assessment may be based on a number of factors and thereforenumerous circumstances may lead to a positive, negative or inconclusiveassessment signal being made. The aspects to be assessed by theassessing user or automated assessment preferably includes at least oneof the following assessments:

-   -   Actions assessment—e.g. whether or not said entitys prompted        performance is a valid response to said prompt.    -   Thus, the assessment signal may be used as an indication of        whether the entity in the video recording is the same entity        present when the access request was made and therefore provide        other users with the reassurance that the person they        communicate with is the entity shown in the video recording.    -   It will be appreciated that the assessing user may determine the        validity of the prompted action based on a number of factors,        including:        -   the response time of the entity to the prompt;        -   the accuracy of the performance to the corresponding prompt            instructions;        -   any personal prior knowledge of the appearance and behaviour            of the user corresponding to the accessed user account,            and/or        -   their intrinsic human assessment of the genuineness of the            performance.    -   Thus, for example, if a persona that corresponds to the accessed        user account is known to the assessing user, the assessing user        may be able to discern that errors or even high accuracy in the        entitys performed prompts are in or out of character with their        knowledge of the persona. Consequently, the assessing user's        interpretation of an entitys prompted performance may differ        according to any prior knowledge of the corresponding persona.    -   Visual assessment—e.g. whether or not the entity has been        assessed as having a characteristic the same or similar to at        least one identifying characteristic of said accessed user        account.    -   An assessment may, by way of example, be made by comparing the        entity in the video recording with a profile image, name,        gender, residence location, occupation and/or other identifying        characteristic of the accessed user account. Thus, other users        may be reassured that the entity they communicate corresponds to        the persona portrayed by the accessed user account and not an        imposter.    -   Persona assessment—e.g. whether or not the entity is recognised        as corresponding to the persona of the accessed user account.    -   Thus, while the assessing user may believe the entity validly        performs the prompted action and matches sufficient identifying        characteristics of the accessed user account (i.e. a ‘positive’        Actions assessment and visual assessment), the assessing user        may not recognise the entity as matching the persona portrayed        or expected. This may indicate that the entity does not match        the persona that the assessing user anticipated, e.g. there may        be many entities genuinely purporting to be users having the        name “John Smith” that the assessing user may assess as having        valid actions and matching profiles, but are not recognised by        the assessing user.    -   General assessment—e.g. the video recording may be assessed for        authenticity to determine if the video appears tampered with or        is otherwise suspicious. A general assessment may also be made        of the entity to assess any other factors not covered by the        actions assessment, visual assessment or persona assessment.

Preferably, the assessment signal includes, for each type of assessmentmade, a positive, negative or inconclusive signal.

Preferably, said control system uses the assessment signal to classify,or contribute to a determination to classify said entity.

Preferably, the classification of the entity is determined by theassessment signal. Examples of potential classifications are outlined intable 1 below.

TABLE 1 Actions Visual Assessment Assessment Classification PositivePositive Positive Positive Negative Negative Negative Positive NegativeNegative Negative Negative

Preferably, the assessment also includes an indication of whether theassessing user recognises the entity and the classification of theentity is as outlined in table 2 below.

TABLE 2 Actions Visual Persona Assessment Assessment AssessmentClassification Positive Positive Positive Positive Positive PositiveNegative Inconclusive Positive Negative Positive Negative PositiveNegative Negative Negative Negative Positive Positive InconclusiveNegative Positive Negative Negative Negative Negative Positive NegativeNegative Negative Negative Negative

It should be appreciated that the classifications above may be alteredto suit a particular application or security policy, e.g. in oneembodiment, a negative actions assessment in table 2 may lead to a“negative” classification.

In some circumstances, an assessment signal may include an indicationthat an “inconclusive” assessment has been made, thereby indicating thata positive or negative assessment has not been made for some reason. An“inconclusive” assessment may occur, for example, where:

-   -   a poor quality or incomplete video recording is received;    -   there are insufficient or incomplete identifying characteristics        in the accessed user account, and/or    -   the entity is not recognised by the assessing user.

It should also be appreciated that different positive and negativeassessment signals are not both required, e.g. the absence of a positiveassessment signal may be interpreted as a negative assessment signal orvice versa.

According to one aspect, where a negative persona assessment is made(e.g. if the entity is not the person expected by the assessing user)then the control system may be configured to request the assessing userprovide additional feedback about the entity. The assessing user may forexample recognise the entity as corresponding to another persona knownto the assessing user, the assessing user thereby identifying the entityas matching that other persona and not the persona portrayed by theaccessed user account.

The control system can have numerous configurations for processing anegative classification. Example configurations may include one or moreof the following procedures, whereby the control system may;

-   -   i) record to the accessed user account that the entity has had a        negative classification;    -   ii) invoke a warning notification for other users attempting to        communicate with the entity that a negative classification has        occurred. Other users will thus be warned that the entity may be        an imposter and should not be communicated with, or at least        should be treated with caution;    -   iii) block the entity from communication with other users;    -   iv) suspend or cancel the accessed user account;    -   v) repeat steps b)-d) of the aforementioned method;    -   vi) repeat steps b)-e) of the aforementioned method;    -   vii) send a warning notification to a network administrator or        other authority to investigate the entity and/or negative        assessment;    -   viii) selectively restrict the type of communication allowed        between the entity and other users. The control system, by way        of example, may prohibit sending of photos and videos while        permitting text-based communication;    -   ix) selectively restrict the type of access allowed or the        extent of access, e.g. access to certain data on the data        network may be restricted.

The control system can alternatively, or in addition, have a number ofdifferent configurations for processing negative classificationsresulting from multiple user assessments or multiple negativeclassifications. As examples, these may include one or more of thefollowing procedures whereby the control system may:

-   -   i) record that the accessed user account has had multiple        negative classifications. The number, or proportion of negative        classifications made (indicating ‘negative’ overall assessments)        can be used as a measure of the validity or ‘trust’ ranking of        the entity, i.e. the greater the number (or higher proportion)        of negative assessments, potentially the less trust-worthy the        entity may be;    -   ii) generate a warning notification for other users, the        notification indicating that multiple negative classifications        have been made for assessment attempts by the entity. The        notification may include details of:        -   a. number of negative classifications;        -   b. number of negative classifications as a proportion of            total positive and negative classifications;        -   c. a assessment rating assigned to the entity by other            users;        -   d. time, date and/or location the negative and/or any            positive classifications were made; and/or        -   e. permutations and/or combinations of the above;    -   iii) restrict the entitys access when a predetermined threshold        is reached or exceeded of:        -   a. number of negative classifications;        -   b. number of negative classifications as a proportion of            total positive and negative classifications;        -   c. a assessment rating assigned to the entity by users;        -   d. time, date and/or location the negative and/or any            positive classifications were made; and/or        -   e. permutations and/or combinations of the above;    -   iv) suspend or cancel the accessed user account and prevent        access when a predetermined threshold is reached or exceeded of:        -   a. number of negative classifications;        -   b. number of negative classifications as a proportion of            total positive and negative classifications;        -   c. a assessment rating assigned to the entity by other            users;        -   d. a assessment rating assigned to the entity by other users            where those other users' contribution to the entitys trust            ranking is determined by the respective trust rankings of            the contributing users;        -   e. time, date and/or location the negative and/or any            positive classifications were made; and/or        -   f. permutations and/or combinations of the above;    -   v) repeat steps b) to d) or b) to e) of the aforementioned        method when a predetermined threshold is reached or exceeded of:        -   a. number of negative classifications;        -   b. number of negative classifications as a proportion of            total positive and negative classifications;        -   c. a assessment rating assigned to the entity by other            users;        -   d. a assessment rating assigned to the entity by other users            where those other users' contribution to the entitys trust            ranking is determined by the respective trust rankings the            contributing users;        -   e. time, date and/or location the negative and/or any            positive classifications were made; and/or        -   f. permutations and/or combinations of the above;    -   vi) A warning notification may be sent to a network        administrator or other authority to investigate the negative        assessment when a predetermined threshold is reached or exceeded        of:        -   a. number of negative classifications;        -   b. number of negative classifications as a proportion of            total positive and negative classifications;        -   c. a assessment rating assigned to the entity by other            users;        -   d. a assessment rating assigned to the entity by other users            where those other users' contribution to the entitys trust            ranking is determined by the respective trust rankings the            contributing users;        -   e. time, date and/or location the negative and/or any            positive classifications were made; and/or        -   f. permutations and/or combinations of the above.

The control system can have a number of configurations for processing a‘positive’ assessment classification. As examples, these configurationsmay include one or more of the following procedures whereby the controlsystem may:

-   -   i) record to the accessed user account that a positive        classification has been made;    -   ii) invoke a notification for other users attempting to        communicate with the entity that a positive classification has        occurred;    -   iii) permit communication between the entity and other users;    -   iv) provide the entity with read and/or write access to the        accessed user account;    -   v) selectively restrict the type, format or medium of        communication allowed between the entity and other users. The        control system, by way of example, may prohibit sending of        photos and videos while permitting text-based communication;    -   vi) selectively permit/restrict the type of access allowed or        the extent of access, e.g. access to certain data on the data        network may be restricted.

The control system can alternatively, or in addition, have a number ofdifferent configurations for processing positive classifications frommultiple users or multiple positive classifications. As examples, theseconfigurations may include one or more of the following procedures,whereby the control system may:

-   -   vii) record to the accessed user account that multiple positive        classifications have been made. The number, or proportion of        positive classifications made (indicating ‘positive’ overall        assessments) can be used as a measure of the validity or ‘trust’        ranking of the entity, i.e. the greater the number (or higher        proportion) of positive classifications, potentially the more        trust-worthy the entity may be;    -   viii) generate a notification for other users attempting to        communicate with the entity that multiple positive        classifications have been made for assessment attempts by the        entity. The notification may include details of:        -   a. number of positive classifications;        -   b. number of positive classifications as a proportion of            total positive and negative classifications;        -   c. a assessment rating assigned to the entity by other            users;        -   d. time, date and/or location the negative and/or any            positive classifications were made; and/or        -   e. permutations and/or combinations of the above.

The control system can have a number of configurations for processing an‘inconclusive’ classification or assessment signal. As examples, theseconfigurations may include one or more of the following procedureswhereby the control system may:

-   -   i) record to the accessed user account that an inconclusive        classification has been made;    -   ii) invoke a notification for other users attempting to        communicate with the registered user that an inconclusive        classification has occurred;    -   iii) permit or restrict communication between the entity and        other users;    -   iv) restrict read and/or write access to the accessed user        account;    -   v) selectively restrict the type, format or medium of        communication allowed between the entity and other users. The        control system, by way of example, may prohibit sending of        photos and videos while permitting text-based communication;    -   vi) selectively permit/restrict the type of access allowed or        the extent of access, e.g. access to certain data on the data        network may be restricted;    -   vii) advise the entity of the reason for the inconclusive        assessment (e.g. poor video quality, “please enter gender”) and        prompt the entity to correct the problem.

The control system can alternatively, or in addition, have a number ofdifferent configurations for processing inconclusive classificationsfrom multiple users or multiple inconclusive classifications. Asexamples, these configurations may include one or more of the followingprocedures, whereby the control system may:

-   -   i) record to the accessed user account that multiple        inconclusive classifications have been received. The number, or        proportion of inconclusive classifications received can be used        as a measure of the reliability of assessments of the entity or        problems with the accessed user account or first user terminal,        i.e. the greater the number (or higher proportion) of        inconclusive classifications, potentially an assessing user is        less able to make a satisfactory assessment;    -   ii) generate a notification for other users attempting to        communicate with the entity that multiple inconclusive        classifications have been received for assessment attempts by        the entity. The notification may include details of:        -   a. number of inconclusive classifications;        -   b. number of inconclusive classifications as a proportion of            total classifications;        -   c. an assessment rating assigned to the entity by assessing            users;        -   d. time, date and/or location the inconclusive            classifications were received; and/or        -   e. permutations and/or combinations of the above.    -   iii) advise the entity of the reason for the inconclusive        assessments (e.g. poor video quality, “please enter gender”) and        prompt the entity to correct the problem.

Preferably, at least one audio recording of said visible prompted actionis recorded and stored, preferably with said video recording. The use ofboth video and audio recordings may further minimise the chance ofdeception as the assessing user will also be able to assess if theentity is making the audio (e.g. speaking) in synchronisation with thevideo showing the entity making the sounds. An audio recording alsoprovides the assessing user with more potentially recognisableinformation about the entity, including their accent, tone and othervoice characteristics. Additionally, the prompt may ask a question ofthe entity which, when answered, may provide interesting or importantinformation to the assessing user.

In another embodiment, a sequence of touch or gesture-actions may alsobe recorded, i.e. via using a touch screen or a gesture recognitionsystem such as the Microsoft™ Kinect™ system.

Preferably, the prompt is provided in a form selected from the groupincluding: text, graphical objects, symbols, representations, audiblesounds, video, animations, combinations and permutations thereof.

Preferably, the prompt is provided as text or images to improve rapidcognition relative to a dynamic prompt such as video, audio oranimations.

Preferably, the prompt is only provided to the entity for apredetermined duration. The duration may thus be set for particularprompts to ensure the entity has enough time to perform the promptedaction. Preferably, the duration is less than thirty seconds and morepreferably less than five seconds. It will be appreciated that theduration may be varied for a particular prompt depending on the timerequired for the entity to assimilate that prompt and then perform thecorresponding action. Exemplary durations may be between one and tenseconds.

Preferably, multiple prompts are provided for the entity to performcorresponding actions, at least one said action being visible. Themultiple prompts may be provided all at step b) of the aforementionedmethod or alternatively, the two steps b) and c) may be repeated foreach individual prompt, e.g. a first prompt could be invoked (step b))and then recorded and stored (step c)) and then a second prompt invoked(step b)) and recorded and stored (step c)).

It will be appreciated that the longer the total prompt time (i.e. timebetween the start of the first prompt and the end of the last prompt),the longer an entity must wait, which may prove overly burdensome oronerous for many types of access request. Therefore, in one preferredembodiment, the total time between the start of the first prompt and theend of the last prompt is less than thirty seconds and more preferablyless than fifteen seconds. Preferably, at least three said prompts areprovided. Three prompts permit a large number of unique combinations toavoid simple forgery without being overly onerous on the entity.However, this should not be seen to be limiting as the number of promptsmay be changed to suit the application.

It will be appreciated that an ‘imposter’ entity trying to falselyobtain a positive classification in the aforementioned assessment methodmay try and obtain pre-recordings of another entity that hascharacteristics the same or similar to the identifying characteristicsin the accessed user account or the persona the accessed user accountportrays. The imposter may persuade the other entity to perform variousactions and then try to provide these pre-recordings when prompted. Ifsuch an imposter is somehow able to obtain such a recording of for usein the assessment, the imposter may be able to deceive the assessinguser with a single such recording. However, requiring a sequence ofmultiple visible prompted actions greatly reduces the risk of theassessment methods of the present invention being circumvented by animposter obtaining pre-recordings of single actions.

In a further embodiment, the prompts may be provided in a time-delimitedsequence so that the entity is required to perform each visible promptedaction in a particular time sequence. By way of example, the timing ofthe prompts may be in synchronisation with a song, beat, tune or timeror may be provided at preset intervals, e.g. five seconds between eachprompt.

Preferably, said prompts are provided to the entity with a time delaybetween each prompt. The time delays between each prompt are preferablyselected from the range between zero seconds and five seconds.

In a further embodiment, the time delays between pairs of consecutiveprompts differ and are preferably of an unpredictable length within apredetermined range, e.g. the time delay between first and secondprompts may be five seconds while time delay between second and thirdprompts is ten seconds. This further minimises the risk of falsifiedpre-recordings being used to deceive other users as a pre-recordingwould be evident if the actions are not appropriately synchronised withthe prompts. Preferably, the details of the prompts provided to theassessing user and/or for analysis are provided in synchronisation withthe video recording.

Preferably, the video recording may be controlled by the control system,e.g. the control system may invoke video capture by providing aninstruction signal to a recording device (e.g. webcam and/or microphone)at the first user terminal, which then records the performance inreal-time. This increases the difficulty of falsifying such recordingsby using pre-recordings or other user-provided recordings will not beaccepted as valid recordings. Further authentication methods for therecording can be used, e.g. the recording may be tagged with a time,date and IP address, geo-location marker or other time/locationidentification system. Details of the relevant user terminal could alsobe provided, e.g. serial number, vendor ID information or the like.

In one preferred embodiment the control system may invoke the prompt byproviding computer-executable code or computer-readable data to softwareon the first user terminal which then generates the prompt accordingly.The code and/or data may also preferably indicate which prompt is to bedisplayed and time delays between pairs of consecutive prompts. Thus, itshould be understood that reference herein to the control systeminvoking a prompt may also be interpreted to include the user terminalgenerating prompts on receiving an invocation signal or appropriate datafrom the control system. It will also be appreciated that the controlsystem may send code or data to another computer system for generating aprompt which is then sent to the terminal.

In one embodiment, the control system may reject recordings if receivedafter a predetermined time-period from when the prompts are invoked,thereby reducing the time and therefore potential for false recordingsto be provided.

It will be appreciated that the aforementioned methods may be appliedfor communication between more than two users, e.g. the video recordingmay be provided to multiple different users for assessment of theentity. It will also be appreciated that the aforementioned methods maybe performed for the second and subsequent users as well, i.e. theassessing user may also be assessed by the assessed entity and/or otherusers.

Preferably, the control system is configured to receive and process datarelating to a view request from said assessing user to view said videorecording before invoking or facilitating transmission of said videorecording to said assessing user.

Preferably, the data store for storing the video recording is providedseparately to the user data store containing the database. Preferably,said video recording is stored with a unique identifier. Storing thevideo recording separately to the database in the user data storeensures that if the ‘video’ data store is somehow accessed by anunauthorised entity, the video recording will not have identifyingcharacteristics related to the accessed user account. The uniqueidentifier may also be stored in the database against the accessed useraccount and so can be used by the control system to invoke or facilitatetransmission of the matching video recording from the video data storewhen required.

In an alternative embodiment, the video recording may be stored in thedatabase in the user data store in a database record related to theaccessed user account.

Storage of the video recording alleviates the requirement for animmediate assessment of the entity and thus has one of the advantages oftext-based communication, i.e. there is no requirement for both theentity and assessing user to be accessing the network or communicationsat the same time. The control system may, by way of example, conduct thesteps b) to d) when the entity makes an access request. The videorecording may then be stored in the data store and retrieved at a latertime when requested by the assessing user, or alternatively may beprovided automatically when the assessing user makes an access requestfor communication with the entity and/or accessed user account orpersona portrayed by the accessed user account.

The aforementioned method, system and software may thus allow users tocommunicate primarily be text or audio to maintain real-time visualprivacy from other users (by avoiding the need for real-time videocommunication) while also ameliorating the otherwise inherent risk ofdeceit, as the assessing user is able to visually verify that the entityis the same person as in the recording by matching the performance inthe recording to the details of the prompted actions. If there is nomatch then this indicates the entity is trying to deceive the assessinguser or at least may not be following the prompt instructions. Withoutsuch prompt generation and assessment, the entity may provide a falsevideo recording and deceive the assessing user.

The assessing user can also visually verify whether the entity hascharacteristics the same or similar to the identifying characteristicsof the accessed user account. A human's innate ability to recognisefacial features and particularly expressions and body language providesa very efficient and accurate means of recognition. The assessing usercan choose to reject the communication or take other action if theentity is negatively assessed. The assessing user may also choose towarn other users, a network administrator, police or other authority.

It will be appreciated that a video recording provides far morerecognisable information about a person than a static image. A person'scharacteristic nuances can make it far easier to positively identifythan relying on a static image.

The aforementioned method, system and software may thus provide anefficient ‘peer-assessment’ system that is more effective thantext-based authentication systems and allows other users (peers) toconduct the assessment, which is in contrast to conventional systemswhich place the burden of assessment on the network provider or securitysoftware.

Users may provide active feedback to the system via an assessment signalwhich can be used to indicate whether an assessed entity is deemed to begenuine and should be positively classified. Alternatively, users canmake an assessment without feedback and choose whether or not tocommunicate with the entity based on their own assessment.

In an alternative embodiment, the assessing user may be supplanted withan automated assessment system. Thus, according to another aspect of thepresent invention there is provided a method of assessing an entity at afirst user terminal connected to a data network, said method utilising acontrol system operable to perform the steps of:

-   -   a) receiving an access request from at least one of:        -   said entity;        -   a user at a second user terminal connected to the data            network;    -   b) invoking or facilitating transmission of at least one        unpredictable prompt to said entity for a performance of a        visible prompted action;    -   c) invoking storage of at least one video recording of said        prompted action performance from said entity in a data store;    -   d) invoking an automated assessment of said video recording;    -   e) generating an assessment signal indicative of said        assessment.

According to yet another aspect of the present invention there isprovided a control system capable of assessing an entity at a first userterminal connected to a data network, said control system including acomputer system with a computer processor coupled to a system memory andprogrammed with computer readable instructions executable to perform thefollowing procedures:

-   -   a) receive data relating to an access request from at least one        of:        -   said entity;        -   a user at a second user terminal connected to the data            network;    -   b) invoke or facilitate transmission of at least one        unpredictable prompt to said entity to perform a visible        prompted action;    -   c) invoke storage of at least one video recording of said        prompted action performance from said entity in a data store;    -   d) invoking an automated assessment of said video recording;    -   e) generating an assessment signal indicative of said        assessment.

Preferably, there is provided computer software for enabling assessmentof an entity at a first user terminal connected to a data network, saidcomputer software embodied in computer-readable instructions executableto perform the following procedures:

-   -   a) process data relating to an access request from at least one        of:        -   said entity;        -   a user, at a second user terminal connected to the data            network;    -   b) invoke, in response to receiving said access request data, at        least one unpredictable prompt for said entity to perform a        visible prompted action;    -   c) invoke storage of at least one video recording of said        prompted action performance from said entity in a data store;    -   d) invoking an automated assessment of said video recording;    -   e) generating an assessment signal indicative of said        assessment.

Preferably, said automated assessment includes assessment by a gesturerecognition system, wherein said assessment signal respectively includesa positive or negative indication of whether or not said entity validlyperformed said prompted action.

Preferably, said automated assessment includes assessment by a facialrecognition system to analyse the entity's face with respect to anidentifying characteristic in the accessed user account and wherein saidassessment signal respectively includes a positive or negativeindication of whether or not said entity is assessed as having a facialcharacteristic the same or similar to said identifying characteristic.

Preferably, said identifying characteristic includes a pre-recordedimage, video recording and/or stored biometric data of a face.

Preferably, said control system classifies, or contributes to adetermination to classify, said entity.

Preferably, said control system includes said gesture recognitionsystem.

Preferably, said control system includes said facial recognition system.

In an alternative embodiment, the automated assessment may be conductedremotely to said control system while being invoked by said controlsystem.

The control system preferably includes software algorithms inconjunction with one or more cameras at the first user terminal torecord and assess the action performed and/or face of said entity.

Face and gesture recognition technology is well-known in the art andwill not be described in detail herein. However, it will be appreciatedthat the face recognition system should be capable of detecting facialfeatures and comparing with a reference image, video or biometric datato determine a correlation rating indicative of the similarity betweenthe recorded face and a reference image or video. A gesture recognitionsystem should be capable of detecting visible actions such as hand,facial and/or body gestures and comparing with reference actions or datato determine the gesture performed. The Microsoft™ Kinect™ system is anexample of a system including both facial and gesture recognitionsystems.

In a further embodiment, the control system may be configured to assessthe video recording using said facial recognition system and compare therecorded face with identifying characteristics of other user accounts ina user database. Thus, the control system may be capable of identifyingmultiple user accounts that have identifying characteristics the same orsimilar to the facial characteristics of the recorded entity, which mayindicate that a single entity has multiple user accounts, e.g. theentity may have aliases. The network provider/administrator may thentake appropriate action to investigate the entity and determined useraccounts to determine whether the entity is falsely portrayingthemselves as multiple different people.

In another embodiment, the control system may preferably use said facerecognition system to assess the entity and compare against a databaseof user accounts to identify a user account that has identifyingcharacteristics that are the same or similar to the facialcharacteristics of the recorded entity. Thus, an entity user can beprovided access to the data network by letting the facial recognitionsystem ‘recognise’ them.

Preferably, the control system, in conjunction with the gesturerecognition system and/or face recognition system, is configured todetermine when a visible action has been performed by said entity andinvoke or facilitate transmission of another prompt to said first userterminal to perform another visible action. Thus, rather than providingmultiple prompts in a predetermined time-sequence, the control systemmay determine when the next prompt is required based on the performanceresponse to the previous prompt. The control system is howeverpreferably configured to provide each prompt within a maximum time-limitfrom the previous prompt to thereby reduce the risk of an entityproviding a pre-recorded video recording of the prompted visibleactions. Preferably, said time limit is less than twenty seconds.

In another embodiment, the facial recognition system may be configuredto analyse the recordings to:

-   -   identify entities accessing the data network that have similar        facial characteristics to each other, e.g. an entity may have        access to multiple user accounts with one or both accounts being        an alias, wherein the face recognition system can assess the        video recording to identify any matching identifying        characteristics to determine such duplicates and thereby provide        administrators with the ability to remove; and/or    -   compare the facial biometrics in the video recording with        identifying characteristics stored against user accounts to        identify the corresponding entity in the video recording. This        method allows the control system to automatically recognise and        retrieve user identifying characteristics which match the entity        in the video recording. This method may also allow the control        system to suggest to a user that other users with similar        reference identifying characteristics may be genetically related        or otherwise connected in some way.

The aforementioned automated methods, software and systems, may providean assessment having many of the benefits of the earlier aforementionedmethods requiring user assessment but without the requirement of anassessing. Thus, this automated assessment system may be useful inapplications where an assessing user is not available and/or where otherusers cannot or should not be trusted as an assessing user. In bankingapplications for example, an ATM or online banking system mayincorporate the automated control system, method and software asaforementioned to allow users to securely access their bank accounts.

Similarly, other applications where such an automated system may beuseful may include:

-   -   logging on to a computer, mobile device or other user terminal;    -   accessing or operating a user-operable device such as a vehicle        or machinery.    -   smart phone access;    -   physical access, e.g. through security doors;    -   virtual network login.

In yet another embodiment, the aforementioned automated method, systemand software may be utilised with a said control system located in auser terminal wherein the aforementioned automated assessment process isrequired in order to access said user terminal.

In another embodiment, the aforementioned methods may be used to assessthe competency of the entity, e.g. the prompt may request the entity toperform a sobriety, fatigue or coordination test or other competencyassessment, wherein access is granted only if the control system makes apositive classification.

It will be appreciated that there are numerous gesture-based competencytests to determine the physical and/or mental coordination of the entityand any of these tests may be used, e.g. one test includes a ‘fingercount’ where the entity is prompted to touch each finger of their handto their thumb and count with each touch (1, 2, 3, 4, 4, 3, 2, 1). Theassessment made may incorporate a number of factors, including:

-   -   degree of delay between the prompt and the visible prompted        action;    -   variation from calibrated reference actions;    -   unprompted repetition of actions.

The aforementioned method may find particular application in assessingthe authority and/or competency of entities attempting to operatemachinery that is dangerous or has a high-skill requirement or vehiclessuch as military, industrial or service vehicles or the like. Invehicles for example, the vehicle ignition may not be operable until theentity has been assessed and a positive classification is madeindicating the entity is authorised and deemed competent to operate thatvehicle.

The aforementioned control system may be installed or connected to amilitary or para-military vehicle to prevent enemy combatants or otherunauthorised entities from operating the vehicle.

The control system may preferably be configured to provide data to theassessing user or automated assessment indicating visible actions thatare invalid responses to the prompt, e.g. the prompt may be “touch yournose” wherein if the entity uses their left hand the visible promptedaction is deemed ‘invalid’ and a negative classification is made. Thus,the control system may be used with a set of rules that can assist theassessment and/or indicate coercion of an entity who has knowledge ofthose rules.

It should be appreciated that the various aforementioned methods,systems and software may be combined together in various iterations tosuit a particular application.

The aforementioned aspects of the present invention may thus provide anenhanced form of entity assessment that negates many of the problemsinherent in text-based user-assessment systems or live videocommunications.

BRIEF DESCRIPTION OF DRAWINGS

Further aspects and advantages of the present invention will becomeapparent from the following description which is given by way of exampleonly and with reference to the accompanying drawings in which:

FIG. 1 shows a pictorial representation of two users communicating in aprior art data network;

FIG. 2 shows a schematic logic diagram of a network control systemaccording to one embodiment of the present invention;

FIG. 3 shows a high-level flowchart representing a first stage of amethod of ‘peer assessment’ of an entity according to one embodiment ofthe present invention;

FIG. 4 shows a high-level flowchart representing a second stage of themethod of ‘peer assessment’ of FIG. 3;

FIG. 5 shows a high-level flowchart representing an alternative to thesecond stage of the method of entity assessment of FIG. 4;

FIG. 6 shows a schematic logic diagram of a network control systemaccording to another embodiment of the present invention.

FIG. 7 shows a simplified pictorial representation of a data network andcontrol system implementing a method of entity assessment according toone preferred embodiment of the present invention;

FIG. 8 shows the data network and method of FIG. 7 with one possibleassessment;

FIG. 9 shows the data network and method of FIG. 7 with another possibleassessment;

FIG. 10a shows a screenshot of an example of the initial stage of themethod of ‘peer assessment’ of FIGS. 3 and 4;

FIG. 10b shows a screenshot of a user profile and their friends in oneexample of the method of ‘peer assessment’ of FIGS. 3 and 4;

FIG. 11 shows a high-level flowchart representing an automated method ofentity assessment according to a second preferred embodiment.

BEST MODES FOR CARRYING OUT THE INVENTION

Reference will now be made in detail to embodiments of the presentinvention, examples of which are illustrated in the accompanyingdrawings. While the present invention will be discussed in conjunctionwith the following embodiments, it will be understood that they are notintended to limit the present invention to these embodiments alone. Onthe contrary, the present invention covers alternatives, modifications,and equivalents which may be included within the spirit and scope of thepresent invention as described herein and as defined by the appendedclaims. Furthermore, in the following detailed description of thepresent invention, numerous specific details are set forth in order toprovide a thorough understanding of the present invention. However,embodiments of the present invention may be practiced without thesespecific details. In other instances, well-known methods, procedures,components, and circuits have not been described in detail so as not tounnecessarily obscure aspects of the present invention.

Some portions of the detailed descriptions which follow are presented interms of procedures, logic blocks, processing, protocols and othersymbolic representations of operations on data bits within a computermemory. These descriptions and representations are the means used bythose skilled in the data processing arts to most effectively convey thesubstance of their work. In the present application, a procedure, logicblock, process, function, or the like, is a self-consistent sequence ofsteps or instructions leading to a desired result. Reference herein willalso be made to various “algorithms” which should be understood to referto one or more computer-implemented processes, procedures, functionsand/or calculations that are capable of accessing, reading, processing,modifying, creating or otherwise manipulating data.

The “steps” of each method are those requiring physical manipulations ofphysical quantities. Usually, although not necessarily, these quantitiestake the form of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated in a computersystem.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the followingdiscussions, it is appreciated that throughout the present invention,discussions utilizing the terms such as “aborting,” “accepting,”“accessing,” “adding,” “adjusting,” “analyzing,” “applying,”“assembling,” “assigning,” “balancing,” “blocking,” “calculating,”“capturing,” “combining,” “comparing,” “collecting,” “creating,”“debugging,” “defining,” “delivering,” “depicting,” “detecting,”“determining,” “displaying,” “establishing,” “executing,” “filtering,”“flipping,” “generating,” “grouping,” “hiding,” “identifying,”“initiating,” “interacting,” “modifying,” “monitoring,” “moving,”“outputting,” “performing,” “placing,” “positioning,” “presenting,”“processing,” “programming,” “querying,” “receiving” “removing,”“repeating,” “resuming,” “sampling,” “selecting,” “simulating,”“sorting,” “storing,” “subtracting,” “suspending,” “tracking,”“transcoding,” “transforming,” “transferring,” “transforming,”“unblocking,” “using,” or the like, refer to the action and processes ofa computer system, or similar electronic computing device, thatmanipulates and transforms data represented as physical (electronic)quantities within the computer system's registers and memories intoother data similarly represented as physical quantities within thecomputer system memories or registers or other such information storage,transmission or display devices.

To aid brevity and clarity, reference herein will also be made tohardware devices in the singular, however, such reference should beinterpreted to also include multiple components forming the deviceand/or multiple devices sharing the function, e.g. reference herein to a“server” should be interpreted to include multiple servers, distributedservers, cloud-based servers and the like.

FIG. 1 shows a known prior art data network (1) controlled by a controlsystem provided in the form of server (2) accessible over acommunication system such as the internet or other wired or wirelesscommunication medium. User terminals (3, 4) are connected to, or routedby, the data network (1) by server (2) and are provided in this examplein the form of notebook computers (3, 4). The server (2) is of a knowntype and generally includes at least one computer processor connected bya bus to a system memory and data store storing a database of userrecords. User accounts are formed from one or more database recordsrelating to the same user. The server (2) is connected to the userterminals (3, 4) via wireless or wired communications systems and allare part of the wider World Wide Web or internet. The server (2) isoperable to process computer program modules for processing data held inthe system memory and/or data store. The system memory includes RAM, ROMand necessary program modules, e.g. an operating system. The system datastore, such as a hard drive or virtual data store, may also storeprogram modules in addition to the database. The user terminals (3, 4)connect to the server (2) via a wired or wireless network of theirInternet Server Provider (ISP). The user terminals (3, 4) may also havewebcams (17). Users (5, 6) at the terminals (3, 4) can communicate witheach other via the server (2).

A virtual network is provided in the form of a virtual social network(7), e.g. Facebook™ Match.com™, Linkedln™ etc. The virtual socialnetwork (7) is formed from the interrelated collection of data recordsof users/members of the social network, i.e. all users are part of thelarger social network. Each given user may have their own individualsocial network formed by storing a table of user identifiers against thegiven user's account, the user identifiers corresponding to otherusers/data records which the given user is connected to, e.g. the givenuser's “contacts”. Social networks generally permit mutual communicationvia text, audio, static images and/or video that is stored and/or routedby the server (2).

Reference herein to the entity or other user “logging in” to the network(1) should also be interpreted to include Single Sign-On (SSO) systemssuch as OpenID® or similar systems where a user can ‘log-on’ todifferent networks using a single set of user credentials.

As described in the background art section, users (5, 6) accessing thedata network (1) are typically only required to provide a combination ofuser-name and password for authentication. Once authenticated, the user(5 or 6) is free to communicate with their contacts and/or other users.There is typically no requirement for users (5, 6) to includeindependently verifiable statements about themselves. When a user (5 or6) is ‘signing-up’, the social network (1) commonly only requires anemail as a unique user identifier (ID) and does not verify that theother identifying characteristics or details the user (5 or 6) isentering are true. This limited authentication method allows users tocreate accounts with false details or access other user's accounts byfinding out that other user's ID and password. There is thus no meansfor other users to verify the identity of a particular user, except forasking questions which both users know the answer to. However, even thismethod is not robust as a dishonest person may have already obtained theanswers to those questions. Thus, paedophiles, imposters and othermalicious users have taken advantage of such cursory security measuresand have used social networks to deceive and harm other users.

Some social networks allow users to communicate by live bidirectionalvideo transmission, e.g. ‘video conferencing’, to verify each other,though, as discussed above, this form of communication is undesirablefor many users and must be performed ‘live’ with both users beingpresent for effective assessment.

FIGS. 7-9 show example componentry for a control system provided in theform of server (11) and user terminals (13, 14) that may be used toimplement preferred embodiments of the present invention.

The physical hardware involved for accessing and running the socialnetwork (8) on the data network (10) is generally comparable to theprior art system shown in FIG. 1, e.g. a control system is provided inthe form of a server (11) and is connected to user terminals (13, 14)via a wired or wireless communication medium (not shown) thus providingfor communication between an entity (15) and another user (16). Theserver (11) may store and/or route communications or set up a directconnection, such as a Virtual Private Network (VPN) or other internettunnelling connection between the terminals (13, 14). Webcams (17) orother video/audio recording devices are provided at each user terminal(13, 14).

FIG. 2 shows a more detailed logic diagram of the server (11) and asingle user terminal (13 or 14).

The server (11) generally includes a computer processor (60), data store(61), network interface (62) (wireless or wired) and system memory (64)connected via a system bus (63). The system memory (64) includes RandomAccess Memory (RAM) (65) and Read Only Memory (ROM) (66) along withassets (67) including program modules (67 a-m) and other assets (notshown) such as images, text, URLs, scripts and so forth. The programmodules (67 a-m) may of course be stored in data store (61) and loadedto RAM (65) during operation as needed. The data store (61) alsocontains a database of user accounts formed from related data recordsthat correspond to a user (e.g. entity-15 or user-16). The user accountspreferably store identifying characteristics of the correspondingregistered user, e.g. each registered user's account may contain recordsspecifying the gender, age, occupation, country of residence,nationality, profile image etc. of the registered user.

An external data store (61 a) is located remotely to the server (11) andcan be used to store video recordings (21) with filenames acting asunique identifiers for each recording (21). The data stores (61 a) and(61) can be used interchangeably for storing various data and thus, anyreference to one data store (61) or (61 a) will be appreciated as beingsubstitutable with the other data store (61 a) or (61) respectively.

An optional data access module may be included in the program modules(67 a-m) for determining access parameters to the data store (61 a). Theexternal data store (61 a) may take the form of another network server,Network Attached Storage (NAS), cloud storage or any other type of datastore.

While reference herein is made to the use of a single server (11) itshould be appreciated that multiple servers may be provided and theprogram modules (67) may be distributed amongst the multiple servers.Furthermore, the data network (10) may operate independently to theserver (11) with a different control system/server and only accessselected data from the server (11), data store (61 a) or user terminal(13, 14) when required.

The user terminals (13, 14) also include a computer processor (70), datastore (71), network interface (72) and system memory (74) connected viaa system bus (73). The system memory (74) includes RAM (75) and ROM (76)along with executable program modules (77). The user terminal (13) alsoincludes an operating system (78) program module and network browsermodule (79). The user terminal (13) additionally includes an optionalGraphics Processing Unit (GPU) (81) which may also be integrated intothe CPU (60). A video capture device (80) and user input devices (83)(e.g. mouse and keyboard, or touch-screen, etc) are also connected tosystem bus (73). The GPU (81) is connected to a display (82) via a videointerface such as DVI, HDMI, DisplayPort or similar.

It should be appreciated that while other user terminals may be usedthat have predominantly the same components as user terminal (13, 14)other alternative example user terminals may have an integrated GPU (81)and processor (70), touch-screen or keypad input device or even no datastore, instead having accessible network or cloud-based storage.Examples of user terminals (13, 14) include computers, servers, portablecomputers and tablets, mobile phones, game consoles, Automated TellerMachines, gambling machines, security screening terminals and indeed anydevice capable of computing data, recording video, generating promptsand transceiving data with server (11).

It should be appreciated that not all program modules (67 a-j) may berequired in each embodiment as described below, e.g. in the ‘peerassessment’ methods shown in FIGS. 4 and 5, the facial recognition (67c) and gesture recognition (67 d) modules may not be required. It willalso be appreciated that the video recording (67 g) and promptgeneration (67 a) modules may be located in the user terminal (13, 14)and run locally rather than on the server (11).

The methods of preferred embodiments of the present invention may beimplemented using any applicable software platforms such as, but notlimited to, Java®, Flash®, HTML5 or any other suitable softwareplatform. In the present example described herein, the method isimplemented using an Adobe Flash® application and example screenshotsare shown in FIG. 10. It will be appreciated that other softwareplatforms and protocols may be used and the aforementioned platforms aremerely provided as examples.

One preferred embodiment of a method (100) of entity assessment is shownin FIGS. 3 and 4. The method is for assessing an entity (15) at a firstuser terminal (13) connected to a data network (10).

In broad terms the method utilises a control system provided in the formof server (11) operable to perform the steps of:

-   -   a) receiving an access request from at least one of:        -   (101)—the entity (15);        -   (114)—an assessing user (16) at a second said user terminal            (14).    -   b) invoking (109) at least one unpredictable prompt (18) to said        entity (15) to perform a visible prompted action (20);    -   c) invoking storage (111) of at least one video recording (21)        of said prompted action performance from said entity (15) in a        data store (61 a);    -   d) invoking or facilitating transmission (119) of said video        recording (21) from said data store (61 a) and details of said        prompt (18) to said assessing user terminal (14) for viewing and        assessment by said assessing user (16);    -   e) receiving (121) from said assessing user (16) an assessment        signal.

Now with reference to FIGS. 3 and 4 the method of entity assessment isdescribed in more detail. This method enables assessment of at least oneentity (15) at a first user terminal (13) accessing a data network (10).The method utilises a control system provided in the form of server (11)operable to perform the steps of:

-   (step 101) Receiving an access request from a first user terminal    (13) from an entity (15) purporting to be a registered user of the    social network (8) entity (15) and requesting access to the social    network (8). The access request includes an initial “login” request    (102).-   (step 102) The entity (15) will attempt to provide credentials to    access a user account (hereinafter accessed user account) that    corresponds to a registered user. The credentials provided are    typically login credentials, e.g. a user ID and password. The data    containing the credentials is sent to the server (11) from the first    user terminal (13).-   (step 103) The server (11) receives the submitted credentials, and    attempts to correlate with a user account stored in the database.-   (step 104) If the user ID and password combination does not match a    registered user's account, the access request (101) is denied and    the entity (15) notified. The entity (15) can then retry the access    request, i.e. start again at step (101) or abandon the access. There    may also be the option for the entity (15) to request a ‘lost’    password or reset password link to be sent to the registered user's    e-mail address registered in database.-   (step 105) If the credentials do match a registered user's account,    the initial login is read as a success and a login timestamp    generated and stored in the database against the accessed user    account.-   (step 106) The server (11) then determines whether the entity (15)    requires assessment.-   (step 107) If the entity (15) requires assessment a request is sent    to the first user terminal (13) to access a webcam (17) or other    visual communication device. This request may be in the form of a    Java remote method invocation, an HTTP GET/POST request (a URL    request), an application specific request or similar.    -   Alternatively, the entity (15) may be required to install        software which is able to access the webcam (17) on behalf of        the server (11). The webcam (17) is preferably controlled by the        software (67) or web server (11) to prevent an imposter from        making pre-recordings of one or more of the prompted actions        (20) (described below) and then providing the pre-recordings to        the server (11) in place of a ‘live’ webcam recording.-   (step 108) The webcam request is then processed by the first user    terminal (13) and a reply sent to the server (11) indicating whether    the first user terminal (13) has a webcam (17) or other recording    device. The entity (13) may be required to press a physical or    software ‘button’ to consent for the server (11) or local software    to access the webcam (17).    -   It will of course be appreciated that reference to a ‘button’        also includes software buttons such as a hyperlink, HTML form        post, ActiveX control or other software control.    -   If a webcam (17) is not available, the access request fails        (104) and the entity (15) is denied access to the social network        (8). Alternatively, the entity (15) may be provided with access        to the social network (8) but will have a record on the        corresponding registered user's account that the entity was not        assessed and a notification (19) generated (112) for other users        attempting to communicate with the entity (15).    -   If a webcam (17) is available but the entity (15) denies access        to the webcam (17) then the server (11) may treat the denial as        a ‘negative’ assessment signal, classify the entity (15)        negatively and/or may restrict access or take other action as        required, as an entity (15) denying access to an available        webcam may indicate an imposter.-   (step 109) If a webcam (17) is available, the server (11) implements    the prompt generation module (67 a) to pseudo-randomly select three    actions from a populated list (22) of actions (20) stored in a table    in data store (61). Prompts (18) for the selected actions (20), the    sequence and the time delays between consecutive prompts (18), along    with a timestamp and unique identifier, are stored in the database    (50) against the corresponding user account. A script or executable    is sent to the user terminal (13) which contains details of the    prompt sequence to display and other parameters such as the unique    identifier and any special instructions.    -   The script is received at the first user terminal (13) and        invokes the prompt display (67 k) and video recording (67 g)        modules to operate using the information in the script.    -   The time-delimited sequence of three prompts (18) is displayed        on the first user terminal (13) to sequentially ask the entity        (15) to perform the visible prompted actions (20), e.g. as shown        in FIGS. 7-9 the predetermined actions (20) may be a sequence of        facial expressions such as “smile”, “unhappy” and “tongue out”.        The prompts (18) are displayed in sequence with the assigned        time delay between each prompt (18).    -   The predetermined actions (20) may be selected pseudo-randomly        or alternatively, determined by an algorithm that selects        actions based on particular criteria. In a given country for        example, the list (22) of possible actions (20) for users may be        limited by removing potentially offensive gestures. Similarly,        the list (22) of actions (20) may be restricted or determined by        the religion, ethnicity, sex, age, or any other user identifying        characteristic stored in the corresponding registered user's        account. As the actions (20) selected are unpredictable, an        imposter would be unable to regularly anticipate the next prompt        in order to create a falsified video recording to replace a live        webcam (17) video. It should also be appreciated that the        actions (20) may include not only facial expressions but        alternatively, or in addition—body gestures, sound or any other        action visibly discernable and identifiable by an assessing        user.-   (step 110) the video recording (67 g) module is run concurrently    with displaying the prompts (18) enabling the webcam (17) to record    a live, real-time performance of the entity (15). An example of the    video capture screen (53) and prompts (18) is shown in FIG. 10a .    The entity (15) is also able to review a playback of their video    recording and can repeat the recoding process if unsatisfied with    the recording.-   (step 111) Simultaneously (with steps (109) and (110)) the script    from the server (11) implements the data storage (671) module to    stream the video data to data store (61 a) which is stored with a    unique identifier as the video filename. As another optional facet    of identity information, the location and/or local time of first    user terminal (13) may be determined and stored in the database (50)    along with the corresponding prompts (18) or alternatively with the    video recording (21) in data store (61 a).    -   Alternative embodiments may have a video recording (21) formed        as a composite of multiple individual recordings. The recordings        (21) may be sent to the data store (61 a) individually, or the        recordings (21) may be continuous or joined together before        being sent to the server (11). The recordings may be streamed to        the server (11) or store (61 a) or sent as an upload package.    -   The server (11) generates at least three prompts (18) to        minimise the risk of the entity (15) providing pre-recordings or        false recordings of a single or two predetermined actions (20).        It will also be appreciated that any number of prompts (18)        could be provided. Increasing the number of prompts (18) or        possible actions (20) correspondingly minimises the ability for        an impostor to provide pre-recordings of the corresponding        registered user or another person performing those actions (20)        in the correct sequence. The total number of unique sequences of        prompts (18) and actions (20) possible are determined by the        number of prompts (18) and number of different actions (20),        according to the equation:        P=n!/(n−k)!        where n≥k,        P=number of unique sequences, n=number of different possible        actions (20), k=number of prompts (18)    -   Thus, by way of example, three different predetermined actions        (20) comprised of “smile”, “unhappy” and “tongue out” in a        sequence of three prompts (18) could be provided in six unique        sequences. Adding a choice of a further two different actions        (20), e.g. “frown” and “wink”, would increase the number to        sixty unique prompt sequences.-   (step 112) In some circumstances the entity (15) may choose to defer    or bypass the video login process (109-111) and proceed directly to    access (113) the data network (10). The entity (15) may choose not    to conduct the video login process (109-111) if, for example they do    not have a webcam (17) or other recording device. However, it will    be appreciated that bypassing of the video login process (109-111)    also bypasses the benefits to other users of being able to visually    assess the entity (15) logged on as a corresponding registered user.    -   Thus, the server (11) is configured to record (112) in the        registered user's account that the entity (15) has not recorded        a video login and has not been assessed but otherwise will treat        the entity (15) as the corresponding registered user. When other        users, e.g. assessing user (16), attempt to communicate with the        entity (15) the server (11) sends the assessing user (16) a        notification (19) that the entity (15) has no recorded video        login and has not been assessed.    -   This notification (19) may, by way of example, be a message,        warning, pop-up control, button or other visible/audible        notification. The notification (19) may remain in effect until        the entity (15) conducts the video login process (109-111). The        video login process (109-111) may also be bypassed if the        registered user's account indicates the registered user has        special dispensation, or is otherwise not required to verify        themselves, e.g. if the registered user is identified as a        security administrator or the like.-   (step 113) Once the entity (15) has finished the video login process    (109-111) and the server (11) has stored the recording (21) the    access request and video login process is complete and the entity    (15) is provided access to the communication network (10).    Alternatively, the entity (15) may view the recording (21) and    repeat steps (109)-(111) if they are not satisfied with the    recording.

Preferentially, this access process (100) is also completed by theassessing user (16) and each other user accessing the communicationnetwork (10) such that all, or at least most users have video recordings(21) for assessment.

FIG. 4 shows an example of a second stage (100 b) in a preferredembodiment of the present invention following the video login process(100 a) of FIG. 3. This second stage (100 b) includes the assessmentprocess of the entity (15) by an assessing user (16). Hereinafter thisembodiment shall be referred to as a ‘peer assessment’ embodimentreflecting the process of using an assessing user (16) i.e. a ‘peer’ toassess the entity (15).

-   (step 114) The entity (15) and assessing user (16) have logged in    (105) to the network (10) whereupon the assessing user (16) makes an    access request for communication with the entity (15) or the entity    (15) requests communication with the assessing user (16). The access    request may take the form of an instant message, email, blog, forum    posting, picture tagging, voice chat or any other communication. The    access request (114) to the server (11) also contains user data    identifying the entity (15) and assessing user (16).-   (step 115) Upon receiving the access request, the server (11)    queries the database and accessed user account to determine if a    timestamp (generated at (109)) exists for the last video login    recording (21), and if so determines whether the timestamp is within    a preset range, i.e. the accessed user account has a recent video    login recording (21).-   (step 116) If a timestamp does not exist or the timestamp is outside    the preset range, i.e. there is “No” recent video, the server (11)    is configured to generate a warning notification (19) (e.g. as shown    in FIG. 8) or retrieve a previously generated warning notification    (generated as per step (112)), notifying other users that the    accessed user account does not have a login video (21).    -   The server (11) may also be configured to require a new video        login (21) from entity (15) before the entity (15) can        communicate with others as the entity (15). The requirement for        an updated video may thereby reduce the opportunity of an        imposter illegitimately accessing a registered user's account        after the genuine registered user has already completed the        video assessment process (100 a) and then pretending to be the        genuine registered user.    -   The assessing user (16) may also choose to avoid/cancel        communication with the entity (15) if the accessed user account        does not have a recent login video (21).-   (step 117) If a recent video login (21) is available the server (11)    provides an HTML file or similar to the assessing user (16) with the    unique identifier for the recent video (21). The video retrieval    module (67 m) pre-fetches from data store (61 a) the recent video    recording (21) (or part thereof) that matches the unique identifier.    A still image of part of the video (21) is displayed to the    assessing user (16) who may then activate a ‘VIEW’ button or other    control which is interpreted by data store (61 a) as a “view    request” of that video (21). It should be appreciated that the “view    request” may be controlled by the user terminal (14), data store    (61) or server (11) depending on where the video recording (21) is    stored and how the system is configured.-   (step 118) If the assessing user (16) makes a ‘view request’ this    invokes the transmission of the video (21) to the second user    terminal (14) from data store (61 a). The unique identifier is also    used to retrieve the corresponding prompts (18) from server (11) for    simultaneous synchronised display overlapping the video (21).    Examples of the display of the video (21) and prompts (18) are shown    in FIG. 7 and FIG. 9. It will be appreciated however that the    prompts (18) will not be displayed together and instead are    displayed singularly in sequence with time delays between    consecutive prompts. It should also be appreciated that the video    (21) need not be pre-fetched and may instead be streamed or    downloaded when the view request control is activated.    -   The assessing user (16) is thus able to assess whether or not        the recording (21) shows the entity (15) performing the        predetermined actions in the correct sequence as is shown in        FIG. 7, or in an incorrect sequence such as shown in FIG. 9.-   (step 119) The assessing user (16) can alternatively choose not to    make a view request. The server (11) may then allow (123) or block    (125) communication over the social network (8) between the    assessing user (16) and entity (15) depending on the security    policies of the social network (8).-   (step 120) After viewing the recording (21) the assessing user (16)    is asked to assess the entity (15) in the recording (21).    Additionally, the assessing user (16) is preferably provided access    to identifying characteristics of the accessed user account, e.g.    the name and a profile picture of the registered user. If the    assessing user (16) chooses not to assess the entity (15) the server    (11) determines (119) whether or not to allow (121) or block (132)    communication over the social network (8) between the assessing user    (16) and entity 15)-   (step 121) If the entity (15) is assessed, the assessing user (16)    provides an assessment signal which includes a positive, negative or    inconclusive indication of whether or not they consider the video    recording (21) and recorded entity (15) to be ‘trustworthy’ or    potentially an ‘imposter’. The assessment signal may be generated by    selection of a button or other user control.    -   The assessment signal is preferably composed of a number of        individual assessment signals corresponding to the different        possible assessments to be made. Examples of the assessment        types preferably include the following:    -   a) Actions assessment—i.e. whether or not the entity's (15)        actions (20) are a valid response to the prompts (18), e.g. did        the entity (15) perform the correct actions (20) in the correct        sequence given the prompts (18) made?    -   b) Visual assessment—i.e. whether or not the entity (15) has        been assessed as having the same or similar characteristics as        the identifying characteristics of the accessed user account,        e.g. does the entity (15) appear to match the profile image        stored in the accessed user account?    -   c) Persona assessment—i.e. whether or not the entity (15) is        recognised as corresponding to the persona of the accessed user        account, e.g. is the entity (15) the person who you expected?        -   The accessed user account may portray a particular persona            through various identifying characteristics such as name and            location indicating a particular person. However, in some            circumstances the accessed user account may be created by an            entity (15) attempting to portray themselves as someone            else, e.g. a famous actor/actress or politician. The entity            (15) (who may be a valid registered user) may have common            identifying characteristics (e.g. age, appearance, gender)            to the persona portrayed and so the assessment at b) should            have a positive result. However, the assessing user (16) may            make the additional assessment that while some of the            characteristics match, the entity (15) is not who was            expected based on the persona portrayed. This persona            assessment may also apply where the persona matches a            relative or personal acquaintance of the assessing user.    -   d) General assessment—e.g. is the video recording (21)        suspicious?    -   The assessing user (16) may select from a range of assessments        that provide differing information about the video recording        (21) and entity (15). For example, the assessment signal        provided may be processed by the server (11) as a        “classification” for the entity based on the results of the        above various assessments made by the assessing user.    -   The following Table 4 shows one example of the assessments made        and potential resulting classifications:

Action Visual Persona General Assessment Assessment AssessmentAssessment Classification Positive Positive Positive Positive PositivePositive Positive Positive Negative Negative Positive Positive NegativePositive Inconclusive Positive Positive Negative Negative NegativePositive Negative Positive Positive Negative Positive Negative PositiveNegative Negative Positive Negative Negative Positive Negative PositiveNegative Negative Negative Negative Negative Positive Positive PositiveInconclusive Negative Positive Positive Negative Negative NegativePositive Negative Positive Inconclusive Negative Positive NegativeNegative Negative Negative Negative Positive Positive Negative NegativeNegative Positive Negative Negative Negative Negative Negative PositiveNegative Negative Negative Negative Negative Negative

-   -   The classifications can of course be altered to suit particular        applications and security policies.

-   (step 122) If the server (11) makes a positive classification, the    server (11) may be configured to then record to the accessed user    account that the entity (15) has been assessed positively. The    server (11) may remove any existing warning notifications (19)    and/or add a “positively assessed” notification (not shown) such    that other users are able to see the entity (15) has been positively    assessed. The server (11) also records to the database in the    accessed user's account the total number of positive classifications    made.

-   (step 123) Once a positive classification is made, the server (11)    can allow the entity (15) to communicate with the assessing user    (16) over the social network (8).

-   (step 124) If the server (11) makes a negative classification, the    server (11) then records to the accessed user account that a    negative assessment has occurred, e.g. an imposter may have tried to    communicate on the network (8). The server (11) may then generate a    warning notification (19) for other users attempting to communicate    with the entity (15). The server (11) also records the number of    negative classifications made to the accessed user account in the    database (50). An alert may also be provided to an administrator to    investigate.    -   The server (11) also queries the database (50) to determine the        total number of negative classifications made and if the number        (or ratio of negative to positive classifications) is over a        preset threshold.

-   (step 125) If the server (11) determines at (124) that the threshold    is not exceeded, the server (11) may automatically prevent (‘block’)    communication between the entity (15) and assessing user (16) for    the duration of the first user's login period or other predetermined    time period. The entity (15) is blocked from interacting with the    assessing user (16), but as sufficient other users have not marked    the entity (15) as suspicious (i.e. negative classification    threshold not exceeded), the entity (15) remains logged in as the    registered user and has the opportunity to interact with other users    as per (130). Alternatively, the entity (15) may be asked to repeat    the assessment process from step (109), i.e. they are given the    opportunity to create a new login video (21).

-   (step 126) If the server (11) determines at (124) that the threshold    is exceeded the server (11) may automatically block communications    between the entity (15) and any other users for the duration of the    first user's login period or other predetermined time period. The    server (11) also records to the accessed user account that    communication has been ‘blocked’.

-   (step 127) The server (11) then queries the database and determines    if the entity (15) has been previously blocked.

-   (step 128) If the server (11) determines that the entity (15) has    not been blocked previously, the server (11) may be configured to    automatically log out the entity (15) and require the entity (15)    perform the video login process (steps 107-111) upon their next    login, i.e. the entity (15) is returned to step (101).

-   (step 129) If the server (11) determines that the entity (15) has    been blocked at least once previously, the server (11) may be    configured to automatically suspend the accessed user account and/or    notify a system administrator or other authority to investigate.

-   (step 130) After assessment is complete at step (123) or if    communication has been blocked (125) for the first time, the server    (11) may be configured to determine (130) whether the entity (15)    wants to communicate with other users, in addition to, or instead of    the assessing user (16).

-   (step 131) If the entity (15) does want to communicate with other    users, the server (11) queries the database (50) for the accessed    user account to determine if the number of positive classifications    or ratio of positive to negative classifications is over a preset    threshold.

-   (step 132) If the accessed user account indicates that the positive    classification threshold is not exceeded, i.e. the answer at step    (131) is “No”, the assessment process (115 onwards) is repeated for    each additional user (replacing the assessing user (16) in the    process with the additional user) until a sufficient number of    positive classifications is reached.    -   Alternatively, step (131) may be performed for every additional        user or for randomly selected additional users.

-   (step 133) If the accessed user account has a sufficient number of    positive classifications, the entity (15) may be allowed to freely    communicate with other users. However, such other users may be    notified that the entity (15) has sufficient validations and the    other users may still be able to request the entity (15) re-verify    themselves and any other users for the duration of the first user's    login period.    -   In configurations where the entity (15) does not require        communication with any other users, no further action is        required in the process.

-   (step 134) As an alternative to step (131), if the entity (15) does    want to communicate with other users, the server (11) may require    the assessment process (115 onwards) to be completed by the other    users, i.e. the entity (15) is substituted with an ‘additional    user’. Thus, once the entity (15) has accessed the communication    network and been assessed positively they may be free to communicate    with other positively assessed users and/or require other users to    be assessed by the entity (15). This step (133) may be performed for    every additional user, for a predefined number or for selected    additional users.

-   (step 135) In some circumstances the assessment signal received may    indicate an inconclusive assessment. The inconclusive classification    may result from a mix of positive or negative assessments as    detailed in Table 4 or where the assessing user otherwise explicitly    indicates they cannot make a conclusive assessment, e.g. if the    video quality is poor, there are insufficient identifying    characteristics to make the visual and persona assessments or any    other reason. Where an inconclusive classification is made the    server (11) may be programmed to trigger an ‘investigation’ of the    inconclusive classification. Such investigation may include:    -   a. notifying an administrator or the like;    -   b. requesting further information from the assessing user, e.g.        why was the assessment inconclusive;    -   c. requesting the entity (15) to repeat the video login        procedure (100 a);    -   d. requesting the assessing user (16) repeat the assessment        (120);    -   e. another appropriate response.

As a result of the investigation (135) the entity (15) may be blocked(125), or allowed (123) to communicate with the assessing user (16).

While the aforementioned method of entity assessment shows the prompts(18) and recording process ((107) to (111)) taking place when the entity(15) is ‘logging in’ to the social network (8), it should be appreciatedthat these steps ((107) to (111)) may alternatively, or in addition, berequired at any access request which will result in communication orother interaction between the entity (15) and another user or may berequired on demand of the assessing user (16) or another user.

A specific computer software implementation of the aforementioned methodof entity assessment shown in FIGS. 3 and 4 is now generally described.It should be appreciated that the following implementation is purelyexemplary and numerous software platforms and configurations may be usedwithout departing from the scope of the present invention. The hardwarerequired has already been shown and described with respect to FIG. 2. Toaid succinctness, notation herein to a forward slash (/) prefix shouldbe understood to refer to a Uniform Resource Locator (URL) from the hostwebsite, e.g. “/example” refers to www.example.com/example.

-   -   At least three tables are provided as part of the database (50)        in data store (61). These tables include:        -   TBL_ACTIONS. Each TBL_ACTIONS record includes:        -   a prompt description of an action (20);        -   the time period that prompt (18) needs to be displayed for;        -   a ‘prompt’ key;        -   TBL_ACTIONGROUP. This table is populated with the /get-clip            script. Each        -   TBL_ACTIONGROUP record includes:            -   three prompt keys from the TBL_ACTIONS table;            -   corresponding time period that the prompts (18) are                displayed;            -   the order in which the prompts (18) are provided;            -   a timestamp with the date/time when the TBL_ACTIONGROUP                record was created;            -   a user ID of the accessed user account on the social                network (8);            -   a corresponding ‘ActionGroup’ key;        -   TBL_ASSESS. This table is populated with the/assessment            script. Once the recording (21) has been viewed by the            assessing user (16), the assessing user (16) assesses the            entity (15) and selects a series of buttons respectively            indicating positive, negative or inconclusive assessments            for the ‘actions’, ‘visual’, ‘persona’ and ‘recording’            assessments, each button generates a corresponding positive,            negative or inconclusive assessment signal. Each TBL_ASSESS            record includes:            -   the ActionGroup key;            -   the user ID of the assessing user (16);            -   a positive, negative or inconclusive assessment                classification as determined according to Table 4 using                the received assessment signals. Any received                ‘inconclusive’ signal received results in an                ‘inconclusive’ classification.            -   a timestamp with the date/time when the assessing user                (16) viewed the recording (21) and provided the                assessment signals.

In addition, the social network (8) has a database with user accountscorresponding to registered users and having such fields as: user ID,user IDs of other users accessible by that registered user, identifyingcharacteristics and various other details. Such databases are known andwill not be described further. The social network database may be formedas part of the server database (50) or may be provided separately withthe server (11) and/or user terminals (13, 14) having at least partialaccess to the records.

Two Flash™ applications are provided including a “video playback module”(67 m) and a “video recording module” (67 g). These modules are storedas SWF files in the server (11) and are served to the user terminals(13, 14) when the user terminal (13, 14) requests them. The userterminals (13, 14) are able to request these modules as they arereferenced in HyperText Markup Language (HTML) which is served to theuser terminals (13, 14) in a previous HyperText Transfer Protocol (HTTP)GET procedure when the entity (15) or assessing user (16) makes anaccess request (101) or (114).

Hypertext Pre-processor (PHP) and HTML Scripts are provided. The PHPscript is executed when the client (first user terminal (13)) does GETor POST requests. The PHP script can output HTML or Text. The PHP scriptcan also run database queries. The scripts include:

-   -   /get-clip. When an access request (101) or (114) is made via a        network browser (79) on the first user terminal (13) to the        server (11) the /get-clip script causes the PHP engine on server        (11) to query the database (50) and create a new record in        TBL_ACTIONGROUP with the records described above. The        ActionGroup key also forms the filename that the subsequent        video recording (21) will be saved as when made. The video        recording filename (ActionGroup key) is specified as a parameter        to pass to the video recording module (67 g) when it is        executed. The video recording module (67 g) then severs (if not        already cached) and then loads the recording parameters.    -   /actionxml. Uses the ActionGroup key and queries TBL_ACTIONS to        retrieve the corresponding sequence of prompts (18) which is        then passed to the first user terminal (13) as an XML file.        Using the ActionGroup key in the Flash™ applications rather than        the prompt keys or prompt information ensures interception of        the XML can't be used to identify the prompts (18) and therefore        provide an entity (15) with a means for pre-recording a video        with the correct prompt sequence before receiving the prompts        (18).    -   /view-clips. When an assessing user (16) makes a communication        request (114) from second user terminal (16) the /view-clips        script is requested by browser (79). The /view-clips script        extracts from the social network database the assessing user's        ID, other accessible user's IDs and names, including the entity        (15). An ‘ActionGroup’ query is run on the server database (50)        for each user ID returned from the social network database        query. The ActionGroup query returns any records from        TBL_ACTIONSGROUP where the corresponding user has a related        record and, if so, the most recent ActionGroup key (as        determined from the corresponding timestamp) is returned as a        parameter. The ActionGroup key is also the filename of the last        video recording (21) and thus the/view-clips script ensures only        users with a video recording (21) are returned by/view-clips and        only with their most recent recordings.    -   The ActionGroup key, user ID and assessing user ID is then        passed as a parameter to the video playback module (67 h) when        it is executed.    -   The view recordings page (shown in FIG. 10b ) is sent to user        terminal (14) and the video playback module (67 h) reads in the        parameters and requests from the data store (61 a) the        corresponding video recording file (FLash Video (FLV)) over HTTP        and the first frame of the video recording (21) is fetched and        displayed on the browser (79) next to the corresponding user's        name.    -   An assessment rating (51) is also calculated and retrieved by        running a query of TBL_ASSESS using the ActionGroup key and        calculating: Total positive classifications/(Total        classifications)*100    -   this thereby gives a percentage assessment rating (51). This        assessment rating (51) is displayed as text next to the first        frame of video recording (21) on browser (79).    -   /assessment. This is a URL that the video playback module (67 h)        calls to record the assessment signals assigned to the entity        (15) by the assessing user (16). The parameters passed with this        script include the ActionGroup key, of assessing user ID and        positive, negative assessment or inconclusive signals. The        /assessment script checks for a valid ActionGroup key, and        writes the appropriate record to TBL_ASSESS with the determined        assessment classification and assessing user ID. The ActionGroup        key will not be ‘valid’ if no matching key exists in        TBL_ACTIONGROUP or the record in TBL_ACTIONGROUP has a timestamp        outside a preset range, e.g. the record is too old.

The video recording module (67 g) Flash™ application performs thefollowing procedures:

-   -   reads in a parameter from /get-clip. which is the ActionGroup        key stored in TBL_ACTIONGROUP.    -   issues a requests to /actionxml using the recording filename        which returns the corresponding three prompt keys.    -   starts the camera (17).    -   starts streaming the video recording (21) over a Real Time        Messaging Protocol (RTMP) to the data store (61 a), which        converts the stream to a Flash Video (FLV) file with the        recording filename being the ActionGroup key.    -   displays text “Please get ready”.    -   displays the prompts (18) in pseudo-random sequence with a time        delay between each prompt (18) and a notification of time        available to perform each prompt (18).    -   a ‘cue’ timestamp is inserted into the video recording (21)        stream when each prompt (18) is displayed, thereby indicating        the time the prompt display started.    -   stops streaming.    -   shuts down.    -   redirects first user terminal internet browser to a new page        /view_clips where the entity is able to view their video        recording (21).

The video playback module (67 h) Flash™ application:

-   -   reads in the parameters from /view-clip which include the most        recent ActionGroup key for each corresponding user.    -   issues a request to /actionxml using the ActionGroup key which        returns the three prompts (18).    -   requests the movie FLV over HTTP from data store (61 a).    -   waits until the assessing user (16) makes a view request (117)        by selecting a “play” button on browser (79).    -   plays the FLV video on the user terminal (14) browser (79). The        corresponding prompts (18) are displayed when a cue timestamp is        detected.    -   asks the assessing user (16) to select buttons indicating        positive, negative or inconclusive assessments for the        ‘actions’, ‘visual’, ‘persona’ and ‘recording’ assessments.    -   when the assessing user (16) selects a button then a HTTP        request is made to/trust-response with the ActionGroup key, the        user ID of the assessing user (16) and the assessment signal.        The /assessment PHP script stores a record in TBL_ASSESS        accordingly.

It will also be appreciated that the aforementioned method may bealtered to suit the social network, security policies or similar. Itshould also be appreciated that the software may be constructed and runusing different programming platforms, e.g. JavaScript™, HTML5,Microsoft™ Silverlight™ etc.

It will be appreciated that the aforementioned embodiments areparticularly suited for use in general social networks, children'ssocial networks, gaming networks and/or relationship facilitationservices such as ‘dating’ websites.

The aforementioned assessment method (100 a-b) may also require theentity (15) and/or assessing user (16) to perform an initial video loginprocess (109-111) when registering an account in the database. Therecording(s) (21) may then be stored on the server (11) and used as areference recording. Thus, in the event of a dispute between usersand/or where suspicious activity arises, another user, a networkadministrator, and/or an investigator can view the initial recording andcompare with subsequent recordings to determine whether the person shownis the same in both.

There have been numerous instances of internet sites or social networkprofiles/accounts being set up by entities impersonating celebrities,public figures, companies or other public or private entities. Theseentities may then deceive other users as to their identity and/ortarnish the reputation of the person/entity they are impersonating. Insuch instances it is difficult to verify the authenticity of the userwithout directly contacting the supposed entity by alternative means,e.g. phone.

The present invention however may alleviate this problem by providing anassessment recording (21) (as previously described) showingunpredictable prompts (18) and an entity (15) performing (or not) theprompted visible actions (20). If the entity (15) shown in the recording(21) is assessed negatively (15), then other users will be aware theaccessed user account may have been accessed by an imposter and cannotify the network administrator, other authority or simply treat theentity as they want.

FIG. 5 shows an alternative peer assessment method 100 c that uses theinitial method 100 a and is generally similar to method 100 b butdiffers in that no assessment (120 onwards) is required. Accordingly thesame reference numerals are used for common steps in methods 100 b and100 c.

In relationship facilitation services (e.g. dating and friend makingwebsites) the primary goal of users is often to meet new people andassess those people for potential relationships. However, theaforementioned assessment methods (100 b) require the assessing user(16) to make multiple assessments, e.g. actions, visual, persona andgeneral, some of which may be overly onerous or impossible whenassessing an entity (15) they have never met before. Therefore, themethod (100 c) is an embodiment which still provides many of theadvantages of the aforementioned method (100 b) but which does notrequire the assessing user (16) to provide an assessment signal, i.e.the assessing user (16) is free to choose whatever action to take basedon their own assessments.

Thus, instead of an active assessment (121), the assessing user (16) onviewing the video recording (21) can make a choice (150) on whether ornot to communicate with the entity (15) shown in the recording (21). Ifthe assessing user (16) does not want to communicate, the server (11) isprogrammed to allow communication or not as described with respect to100 b. The method (100 c) provides the assessing user (16) with the sameinformation to assess the entity (15) as in the 100 b method but withoutrequiring active feedback from the assessing user (16) via theassessment signal. The burden on the server (11) is thus reducedrelative to the method 100 b. In one further embodiment, shown asoptional step (151) in FIG. 5, the assessing user (16) may also select auser interface button control at the assessing user terminal (14) togenerate a positive or negative assessment signal respectivelyindicating whether or not they positively assess the entity (15) or wantto communicate with the entity (15). No further action is taken if theassessment signal is positive and the entity (15) and assessing user(16) are free to communicate. However, if the assessment signal isnegative then the server (11) may prevent or restrict communication fromthe entity (15) to the assessing user (16) for the rest of the entityslogin session, permanently, temporarily or until the assessing user (16)provides a positive assessment signal.

In the embodiments shown in FIGS. 2-5 the control system server (11) canbe an integral part of the social network (8) to not only conduct thepreferred procedures of the present invention but also the generalprocedures of a typical social network, e.g. storing user data, routingcommunications etc.

However, in another preferred embodiment of the present invention asshown in FIG. 6, the social network (8) may operate independently to theserver (11). The server (11) instead acts as a proxy between the userterminals (13, 14) and social network (8). Acting as a proxy allows theserver (11) to control access to the social network (8) and informationpassed between the user terminals (13, 14) and social network (8)without being required to operate the social network (8) itself.

The server (11) functioning as a proxy server will operate as describedabove with respect to FIGS. 2-5, though it will be appreciatedadditional program modules may be needed to control transmission to andfrom the social network (8), intercept data and HTML and extract userinformation (e.g. a user's contact list) from the social network (8).

In operation, the embodiment of FIG. 6 operates using substantially thesame method as shown in FIGS. 3-5, i.e. on receiving an access requestfrom an entity (15) or assessing user (16) at user terminals (13, 14)the server (11) may present the entity (15) with the login screen tosocial network (8). If the correct credentials are entered the server(11) retrieves at least one identifying characteristic and optionallyother details from the accessed user account on the social network (8)and passes to the user terminal (13). The identifying characteristicsinclude name, gender, age, profile image, location, nationality,occupation. Other details may include profile information, contact list,personal interests, memberships and the like. The entity (15) makingaccess is then able to access the social network information as per adirect access, except for where the entity (15) wants to communicate orshare information with another user of social network (8) (or viceversa) and the entity (15) does not have a corresponding video recording(21) as determined by server (11).

When the server (11) determines an access request is made by an entity(15) without a corresponding video recording (21) the server (11) mayrestrict access or communication on the social network (8) byintercepting the HTML from the social network (8) and modifying it towarn any other user, e.g. assessing user (16), that the entity (15) doesnot have a video recording (21). The entity (15) is then prompted to gothrough the process (106)-(112) as shown in FIG. 3 and then be assessedby the assessing user (16) as per the process of FIG. 4.

The server (11) may also apply the same access and communicationrestrictions as described with respect to the earlier embodiments ifassessments with respect to an entity accessing a particular accesseduser account are negative, e.g. marking user as suspicious, restrictingcommunication, generating warning notifications and the like.

Also with respect to FIG. 6, another alternative embodiment is describedwhere the entity assessment methods (100 b, 100 c) may be implementedvia a software application such as a network browser extension orplugin, i.e. the server (11) does not act as a proxy but is linked tonetwork browser (79) on the user terminals (13, 14). When the networkbrowser (79) communicates an access request to social network (8) froman entity (15) or assessing user (16) at user terminals (13, 14respectively) the network browser (79) may present the entity (15) witha login screen to server (11) which also provides access to the socialnetwork (8) if credentials matching a registered user's account areentered. If the correct credentials are entered the server (11) passescorrect login details to the social network (8) via browser (79) andretrieves the social network HTML as per a direct access to the accesseduser account. The entity (15) is then able to access the social networkinformation as per a direct access except instances where the entity(15) wants to communicate or share information with another user ofsocial network (8) (or vice versa) and the entity (15) does not have acorresponding video recording (21) as determined by the server (11).When such an access request is made by an entity (15) without acorresponding video recording, the browser (79) may restrict access orcommunication on the social network (8) by intercepting and storing datasent from that entity (15) until that entity (15) has performed themethod steps (106)-(112) as shown in FIG. 3 and been assessed as per themethod (100 b) of FIG. 4.

The browser (79) may also apply the same access and communicationrestrictions as described with respect to the earlier embodiments ifassessments with respect to a particular user are negative, e.g. markinguser as suspicious, restricting communication, generating warningnotifications and the like. By way of example, parents may install suchan application or browser extension on their child's computer to preventdirect access to specific social networks (8).

The embodiments illustrated with reference to FIG. 6 thereby allowinteraction on the social network (8) without requiring the server (11)be integrated with the social network (8) while helping to ensure thatimposters are identified and assessing users are confident of theidentity, or at least appearance of the entity they are communicatingwith.

The embodiments of FIG. 6 are particularly useful where the socialnetwork (8) does not implement the entity assessment methods (100) ofthe present invention but the users (15, 16) still want to receive thebenefits of using such an entity assessment method (100).

FIGS. 7-9 show the data network (10) with an internet social network (8)or relationship facilitation service (e.g. “dating website”) with whichthe method of entity assessment according to one aspect of the presentinvention (shown in flow-chart form in FIGS. 3-5) can be implemented.

FIG. 7 shows an entity (15) being prompted with a sequence of threeunpredictable prompts (18) to perform three visible actions (20) in theform of “smile”, “unhappy” and “tongue out”. A dashed arrow labelled “T”indicates the passage of time between prompts (18) or actions (20). Theprompts (18) are displayed individually for a predetermined length oftime, e.g. seven seconds. The entity (15) is asked to perform theactions (20) as the prompts are displayed (18) and the webcam (17) atfirst user terminal (13) simultaneously records the prompted actionperformance of the entity (15). The recording (21) is then stored andserved to an assessing user (16) at second user terminal (14) who isable to view and assess the recording (21) as displayed at the seconduser terminal (14). FIG. 7 shows the circumstance where the entity (15)performs the correct actions in the correct sequence and thus theassessing user (16) is able to assess the entity (15) positively ashaving preformed the correct actions in the correct sequence.

FIG. 8 provides the same initial situation as in FIG. 7 but no recording(21) is provided to the assessing user (16) which results in theassessing user (16) providing an “inconclusive” or “negative” assessmentas they are unable to view the entity (15).

FIG. 9 also provides the initial situation as in FIG. 7 but the entity(15) has performed the prompted actions (20) in an incorrect sequence.The assessing user (16) may thus assess the entity (15) negatively andchoose not to communicate with the entity (15). An example of the videocapture screen (53) and a single prompt (18) is shown in FIG. 10a . Theentity (15) is also able to review a playback of their video recordingand can repeat the recoding process if unsatisfied with the recording.

The server (11) configured for either methods 100 b or 100 c, may alsobe programmed to determine if a sufficient number of users providenegative assessments of the video recordings provided by the entity(15). The server (11) then will classify the accessed user accountnegatively, e.g. ‘suspicious’. Depending on various configurations, theentity (15) may be logged out, the accessed user account suspended orother users (e.g. other members of internet dating services) can bewarned that the entity (15) corresponding to the accessed user accountis suspicious. In one embodiment vulnerable users, e.g. children, couldbe blocked from interacting with any entity (15) communicating from theaccessed user account.

Thus, the aforementioned method may help identify imposters or othersuspicious behaviour by providing a means for users to identify eachother and note anything suspicious, thereby providing a greatly enhancedassessment system and moving the burden of advanced authentication fromthe network provider to the users of the network.

It will be appreciated that the aforementioned methods may differ innumerous ways without departing from the scope of the invention.

By way of example only, the video login steps (109-111) may be requiredat one, or multiple, or each:

-   -   access request, including where user credentials are stored in        cookies on the first user terminal;    -   access request where the entity (15) or other user must enter        access credentials.    -   access request where the IP address of the first user terminal        changes.    -   access request where the physical login location of the first        user terminal changes. This may be detected based on IP address,        GPS, cellular network location detection methods of the first        user terminal.    -   n^(th) access request, per week or other time-frame.

In another example, if a particular assessing user (B) positivelyassesses (122) an entity (A) a predetermined number of times while apredetermined number of other users negatively (124) assess user (A),then the server (11) may store a record in the assessing user's accountthat assessing user (B) is classified negatively and may be suspicious,i.e. assessing user (B) may be attempting to falsely positively assessuser (A).

Conversely, if an assessing user (B) provides a predetermined number ofnegative assessments of an entity (A) while a predetermined number ofother users provide positive assessments, then the server (11) may storea record in assessing user (B)'s account that assessing user (B) may besuspicious, i.e. user (B) may be falsely attempting to prevent entity(A) from becoming positively assessed and communicating on thecommunication network.

The ratio of positive to negative assessments from an assessing user(16) and/or other users in relation to a particular entity (15) can beused not only as feedback on the validity of the entity (15) but also,potentially as feedback on the validity of the assessing user (16). Theentity (15) and/or assessing user (16) may thus be assigned anassessment rating based on the ratio of positive to negative assessmentsmade. As shown in FIG. 10b , this assessment rating (51) (shown as a %value) can be displayed on the web-page next to the profile picture ofthe corresponding user account. FIG. 10b also shows an example image ofthe video recording (21) of the entity (15) and details of the otherusers accessible to the entity (15) i.e. assessing user (16 a) and theircontacts (16 b, 16 c) along with the first frame of their respectiveassessment recordings (21 a, 21 b, 21 c). The entity (15) can view theircontacts' (16 a, 16 b, 16 c) recordings (21 a, 21 b, 21 c) by clickingon the still images (21 a, 21 b, 21 c). An assessment rating (51) isdisplayed for each user (16) and the total number of assessments (52) isalso displayed.

FIG. 10b may also form part of a first user's ‘friends page’ on a socialnetwork (8) such that the entity (15) (labelled “you”) is able to easilyview the assessment ratings (51) of the contacts recorded against theaccessed user account as well as take the role of assessing user (16) inthe assessment method (100 a-b) to assess those contacts (16 a, 16 b, 16c). Similarly, the contacts (16 a, 16 b, 16 c) will be able to view theentity's recording (21) to assess the entity (15).

FIG. 11 shows a process flowchart (200) of an automated entityassessment method according to another preferred embodiment the presentinvention. This method (200) uses an automated face and gesturerecognition system (not shown) instead of the assessing user (16) in themethod shown in FIGS. 4-5. The method (200) generally uses comparablehardware as shown in FIG. 2 but with the further inclusion of gestureand face recognition software and necessary hardware, e.g. dual cameras,infrared illumination system and the like.

Such face and gesture recognition systems are well-known in the art andwill not be described in further detail herein, except to state that theface recognition system needs to be capable of analyzing human facialfeatures to compare with a reference source such as a video, image orbiometric data. A match is determined if the correlation between theface detected and the reference source is sufficient. The gesturerecognition system needs to be capable of detecting human facial and/orbody gestures. An example of a suitable facial and gesture recognitionsystem is the Microsoft™ Kinect™ system. The gesture recognition systemmay alternatively use additional apparatus, e.g. a traceable item thatthe user performs the gestures with. The traceable item thus negates theneed for the gesture recognition system to recognize human body parts.

The method, system and software of the second embodiment (200) may alsobe used on proprietary hardware, e.g. the first user terminal (13) maybe a kiosk, security door, banking ATM, mobile phone, or other devicecapable of accessing a data network.

In general the aforesaid second embodiment (shown in FIG. 11) involvesthe following steps:

-   (step 201) Receiving an access request from an entity (15) from a    first user terminal (13) for access to a user account on the data    network (10).-   (step 202) The access request includes an initial “login” request    (201) with submission of credentials including a user ID and    password. A database (50) of user accounts is queried to identify a    user account with a matching user ID.-   (step 203) The server (11) receives the submitted credentials and    determines if they match the credentials as indicated by the    accessed user account, and/or whether the user ID entered matches    any user account in the database (50). If the credentials don't    match, the login fails and the entity (15) is notified that the    login has failed (215). The entity (15) is then returned to repeat    the login process (201).-   (step 204) If the credentials do match, the initial login is read as    a success. The next step (205) involves sending a request to the    first user terminal (13) to access a webcam (17) or other recording    device. This request may be in the form of a Flash™ application,    remote method invocation, an HTTP GET/POST request (a URL request),    an application specific request or similar. Alternatively, the    entity (15) may be required to install software on the first user    terminal (13) which then accesses the webcam (17) on behalf of the    server (11). The webcam (17) is preferably controlled by the    software or web server (11) to prevent pre-recordings being provided    to the server (11) in place of a ‘live’ webcam recording.-   (step 205) The request is then processed by the first user terminal    (13) and a reply sent to the server (11) indicating whether the    first user terminal (13) has a video recording device (17).    -   If a video recording device (17) is not available, the access        request fails (215) and the entity (15) is denied access to the        data network (10), or only permitted restricted access.-   (step 206) If a video recording device (17) is available, the    control system (11) accesses the accessed user account and queries    the existence of pre-recorded biometrics extracted from a    calibration process (213) that analyses the face and gesture    biometrics of the registered user of the accessed user account when    first registering. If no pre-recording exists the entity (15) is    treated as the registered user and is asked to perform the    calibration procedure (213) after step (206).-   (step 207) If the control system (11) locates existing biometrics a    sequence of unpredictable prompts is invoked and the first of three    unpredictable prompts (18) is displayed on the first user terminal    (13) to ask the entity (15) to perform a visible action (20), e.g.    as described with respect to the first embodiment (100).-   (step 208) The video recording device (17) then records the entity    (15) performing the first prompted action (20).-   (step 209) The server (11) repeats steps (207 and 208) with a random    time delay between each prompt (18) until three prompts (18) have    been provided and recorded.-   (step 210) The recording is then analysed using the gesture    recognition system. If the actions (20) performed by the entity (15)    match reference gestures correlating to the prompts (18) provided    and were performed in the correct sequence, then a positive    assessment signal is generated for the Actions assessment (210)    indicating the actions (20) were performed correctly. If an action    (20) is recorded that does not match the corresponding prompt (18)    or an action (20) is recorded out of sequence then a negative    assessment signal is generated for the Actions assessment (210)    indicating the prompted actions were performed incorrectly and the    login request is denied (215).-   (step 211) The recording is then analysed using the facial    recognition system. If the face of the entity (15) in the recording    (21) surpasses a threshold level of correlation to identifying    characteristics (e.g. the reference biometrics) stored in the    database (50) then a positive assessment signal is generated    indicating the entity (15) is visually assessed positively as    correlating to the accessed user account.-   (step 212) The system also captures and updates the reference    biometrics if a positive classification is made.-   (step 213) The calibration process (213) may involve two    sub-procedures (not shown in FIG. 11), namely:    -   Requesting the entity (15) present their face to the video        recording device (17) from varying angles and with various        expressions. These reference videos are analysed by a face        recognition algorithm to extract face biometrics/parameters,        e.g. distance between eyes, nose size etc. These biometrics and        the video are stored in the database (50) in the accessed user        account, and    -   prompting the entity (15) to perform a series of gestures which        are analysed using a gesture recognition algorithm to create        reference gesture parameters that are stored in the database        (50) in the first user's account record.    -   After the calibration procedure (214) the entity (15) is logged        into the data network.-   (step 214) The entity is logged into the network (10) and provided    access to the corresponding user account if the entitys (15) face    and visible actions are assessed positively with respect to    reference biometrics stored in the accessed user account.    -   The entity (15) is logged in (provided access) to the network        (10):        -   after the calibration procedure (213); or        -   upon positive actions and visual assessments (210-211)-   (step 215) As described above, the entity (15) is denied access if    the server (11) makes:    -   incorrect credentials received;    -   no video recording device present;    -   a negative actions assessment;    -   a negative visual assessment.

The aforementioned method (200) provides an automated system of entityassessment that does not rely on an assessing user (16) to assess theentity (15). The use of facial and gesture recognition systems insteadof an assessing user may thus prove useful in many applications where anentity does not wish to, or is not required to, provide video to otherusers but requires access to the data network (10), e.g. as previouslymentioned, applications such as banking logins and so forth.

In a further embodiment, the facial recognition system may also beconfigured to analyse the face biometrics of the recorded entity andgenerate a “TAMPERED VIDEO” signal if the analysis indicates rapidchanges in particular biometrics (e.g. distance between eyes) during therecording. Such changes may indicate a false video that is generatedfrom multiple recordings ‘stitched’ together.

In a further embodiment (not shown) the method (200) may be used toaccess a user terminal (13, 14), i.e. rather than accessing the datanetwork (10) directly, the assessment method (200) may be used to accessthe user terminal (13, 14). Subsequently the user terminal (13, 14) istherefore able to freely access the data network (10) or a furtherassessment process (100, 200) performed in order to gain access to thenetwork (10).

In an alternative embodiment to the login steps (202) to (203), theserver (11) may conduct steps to capture a video or image of the entity(15) and run the facial recognition algorithm (67 c) to identify useraccounts in database (50) with matching biometric data, if matching datais found the entity (15) may be automatically logged in to access thecorresponding user account, thereby obviating the need to supplyusername and password credentials. Alternatively, the server (11) mayrun steps (207) to (210) and use the video recording captured to notonly identify user accounts in database (50) with matching biometricdata but also to determine of the actions were performed ‘validly’. Thusthe entity can be ‘logged-in’ while also having their prompted actionsassessed.

Aspects of the present invention have been described by way of exampleonly and it should be appreciated that modifications and additions maybe made thereto without departing from the scope of the claims.

The invention claimed is:
 1. A method of assessing an entity, the entitycommunicating on a data network via a first user terminal connected tothe data network, wherein the data network includes one or more userrecords collectively forming a “user account” in a database in a datastore accessible by a control system and wherein the user accountincludes a set of identifying characteristics relating to a registereduser, the method utilising a control system operable to perform thesteps of: a) receiving an access request from at least one of: saidentity; an assessing user at a second user terminal connected to thedata network; b) invoking or facilitating transmission of at least oneunpredictable prompt to said entity for a performance of a correspondingresponse action, said transmission invoked by providingcomputer-executable code or computer-readable data to software on thefirst user terminal; c) invoking or facilitating transmission of a videorecording from said first user terminal and details of said prompt to asecond user terminal for viewing and assessment by an assessing user. 2.The method as claimed in claim 1, wherein the data network includes a“virtual network” formed from connections between multiple usersconnected to the data network, said virtual network embodied in relateddata records in a database, each data record corresponding to aregistered user or a user terminal.
 3. The method as claimed in claim 1,wherein a sequence of unpredictable prompts are provided for the entityto perform corresponding response actions.
 4. The method as claimed inclaim 1, wherein steps b) and c) include invoking storage of the videorecording in memory for streaming over the data network to the seconduser terminal.
 5. The method as claimed in claim 1, wherein the datastore for storing the video recording is provided separately to a userdata store containing a database of user account records.
 6. A method ofassessing an entity at a first user terminal, the method using a controlsystem including a gesture recognition system, said control systemoperable to perform the method of assessing an entity, the methodincluding: invoking or facilitating transmission of a sequence ofunpredictable challenge prompts to said entity for prompting aperformance of corresponding visible prompted response actions;capturing at least one video recording of the entity's performance,performing an automated assessment of said recording using the gesturerecognition system, generating an assessment signal indicative of saidassessment, wherein said automated assessment includes assessment by thegesture recognition system, the assessment signal respectively includinga positive or negative indication of whether or not the entity validlyperformed at least one of the prompted actions.
 7. The method as claimedin claim 6, wherein said prompts describe, portray or relate to theactions to be performed.
 8. The method as claimed in claim 6, wherein adata store for storing the recording is provided separately to a userdata store containing a database of user account records.
 9. The methodas claimed in claim 6, wherein the prompts include one or moreinstructions to perform movements or gestures of the eyes.
 10. Themethod as claimed in claim 9, wherein the method includes instructingthe entity to look at a user interface element on a display and eachprompt includes a change in displayed position of the user interfaceelement on the display.
 11. The method as claimed in claim 6, whereinthe prompts include one or more instructions to perform audible responseactions, the recording is an audio recording and the recognition systemincludes a voice recognition system analysing the audio recording tointerpret the audible response actions performed by the entity.
 12. Themethod as claimed in claim 6, wherein the control system includes one ormore user identification systems selected from the group including:fingerprint scanner iris scanner facial recognition system fingerprintidentification hand geometry palm vein authentication retina scannervoice recognition system anatomical geometry recognition any combinationor permutation of the above.
 13. The method as claimed in claim 6,wherein the video recording is a live-stream temporarily recorded in astorage medium.
 14. The method as claimed in claim 6, wherein thecontrol system performs said method upon receiving an access request,the access request including a request to make a purchase or sale of agood or service.
 15. The method as claimed in claim 6, wherein the firstuser terminal includes the control system.
 16. The method as claimed inclaim 6, wherein the first user terminal is a mobile computing device.17. The method as claimed in claim 6, wherein the recording and promptscollectively comprise a digital signature indicating acceptance of acontract.
 18. The method as claimed in claim 17 wherein the contractincludes an accommodation contract.
 19. The method as claimed in claim6, wherein the recognition system includes a facial recognition systemand the method of assessing the entity is used to provide livenessdetection.
 20. The method as claimed in claim 6, wherein the assessmentis conducted after each individual prompt and corresponding recording.